| Name |
Using Slashes and URL Encoding Combined to Bypass Validation Logic |
|
| Likelyhood of attack |
Typical severity |
| High |
High |
|
| Summary |
This attack targets the encoding of the URL combined with the encoding of the slash characters. An attacker can take advantage of the multiple ways of encoding a URL and abuse the interpretation of the URL. A URL may contain special character that need special syntax handling in order to be interpreted. Special characters are represented using a percentage character followed by two digits representing the octet code of the original character (%HEX-CODE). For instance US-ASCII space character would be represented with %20. This is often referred as escaped ending or percent-encoding. Since the server decodes the URL from the requests, it may restrict the access to some URL paths by validating and filtering out the URL requests it received. An attacker will try to craft an URL with a sequence of special characters which once interpreted by the server will be equivalent to a forbidden URL. It can be difficult to protect against this attack since the URL can contain other format of encoding such as UTF-8 encoding, Unicode-encoding, etc. |
| Prerequisites |
The application accepts and decodes URL string request. The application performs insufficient filtering/canonicalization on the URLs. |
| Execution Flow |
| Step |
Phase |
Description |
Techniques |
| 1 |
Explore |
The attacker accesses the server using a specific URL. |
|
| 2 |
Experiment |
The attacker tries to encode some special characters in the URL. The attacker find out that some characters are not filtered properly. |
|
| 3 |
Exploit |
The attacker crafts a malicious URL string request and sends it to the server. |
|
| 4 |
Exploit |
The server decodes and interprets the URL string. Unfortunately since the input filtering is not done properly, the special characters have harmful consequences. |
|
|
| Solutions | Assume all input is malicious. Create an allowlist that defines all valid input to the software system based on the requirements specifications. Input that does not match against the allowlist should not be permitted to enter into the system. Test your decoding process against malicious input. Be aware of the threat of alternative method of data encoding and obfuscation technique such as IP address encoding. When client input is required from web-based forms, avoid using the "GET" method to submit data, as the method causes the form data to be appended to the URL and is easily manipulated. Instead, use the "POST method whenever possible. Any security checks should occur after the data has been decoded and validated as correct data format. Do not repeat decoding process, if bad character are left after decoding process, treat the data as suspicious, and fail the validation process. Refer to the RFCs to safely decode URL. Regular expression can be used to match safe URL patterns. However, that may discard valid URL requests if the regular expression is too restrictive. There are tools to scan HTTP requests to the server for valid URL such as URLScan from Microsoft (http://www.microsoft.com/technet/security/tools/urlscan.mspx). |
| Related Weaknesses |
|
CWE ID
|
Description
|
| CWE-20 |
Improper Input Validation |
| CWE-22 |
Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') |
| CWE-73 |
External Control of File Name or Path |
| CWE-74 |
Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection') |
| CWE-172 |
Encoding Error |
| CWE-173 |
Improper Handling of Alternate Encoding |
| CWE-177 |
Improper Handling of URL Encoding (Hex Encoding) |
| CWE-697 |
Incorrect Comparison |
| CWE-707 |
Improper Neutralization |
|
| Related CAPECS |
|
CAPEC ID
|
Description
|
| CAPEC-267 |
An adversary leverages the possibility to encode potentially harmful input or content used by applications such that the applications are ineffective at validating this encoding standard. |
|