Logo
-

Byte Open Security

(ByteOS Network)

Log In

Sign Up

ByteOS

Security
Vulnerability Details
Registries
Custom Views
Weaknesses
Attack Patterns
Filters & Tools
CAPEC-64:Using Slashes and URL Encoding Combined to Bypass Validation Logic
Attack Pattern ID:64
Version:v3.9
Attack Pattern Name:Using Slashes and URL Encoding Combined to Bypass Validation Logic
Abstraction:Detailed
Status:Draft
Likelihood of Attack:High
Typical Severity:High
DetailsContent HistoryRelated WeaknessesReports
▼Description
This attack targets the encoding of the URL combined with the encoding of the slash characters. An attacker can take advantage of the multiple ways of encoding a URL and abuse the interpretation of the URL. A URL may contain special character that need special syntax handling in order to be interpreted. Special characters are represented using a percentage character followed by two digits representing the octet code of the original character (%HEX-CODE). For instance US-ASCII space character would be represented with %20. This is often referred as escaped ending or percent-encoding. Since the server decodes the URL from the requests, it may restrict the access to some URL paths by validating and filtering out the URL requests it received. An attacker will try to craft an URL with a sequence of special characters which once interpreted by the server will be equivalent to a forbidden URL. It can be difficult to protect against this attack since the URL can contain other format of encoding such as UTF-8 encoding, Unicode-encoding, etc.
▼Extended Description
▼Alternate Terms
▼Relationships
NatureTypeIDName
ChildOfS267Leverage Alternate Encoding
CanFollowD80Using UTF-8 Encoding to Bypass Validation Logic
Nature: ChildOf
Type: Standard
ID: 267
Name: Leverage Alternate Encoding
Nature: CanFollow
Type: Detailed
ID: 80
Name: Using UTF-8 Encoding to Bypass Validation Logic
▼Execution Flow
Explore
1.

The attacker accesses the server using a specific URL.

The attacker accesses the server using a specific URL.

Technique
Experiment
1.

The attacker tries to encode some special characters in the URL. The attacker find out that some characters are not filtered properly.

The attacker tries to encode some special characters in the URL. The attacker find out that some characters are not filtered properly.

Technique
Exploit
1.

The attacker crafts a malicious URL string request and sends it to the server.

The attacker crafts a malicious URL string request and sends it to the server.

Technique
2.

The server decodes and interprets the URL string. Unfortunately since the input filtering is not done properly, the special characters have harmful consequences.

The server decodes and interprets the URL string. Unfortunately since the input filtering is not done properly, the special characters have harmful consequences.

Technique
▼Prerequisites
The application accepts and decodes URL string request.
The application performs insufficient filtering/canonicalization on the URLs.
▼Skills Required
Low

An attacker can try special characters in the URL and bypass the URL validation.

Medium

The attacker may write a script to defeat the input filtering mechanism.

▼Resources Required
▼Indicators
If the first decoding process has left some invalid or denylisted characters, that may be a sign that the request is malicious.
Traffic filtering with IDS (or proxy) can detect requests with suspicious URLs. IDS may use signature based identification to reveal such URL based attacks.
▼Consequences
ScopeLikelihoodImpactNote
AvailabilityN/AResource ConsumptionDenial of Service
ConfidentialityIntegrityAvailabilityN/AExecute Unauthorized CommandsRun Arbitrary Code
ConfidentialityN/ARead DataN/A
ConfidentialityAccess ControlAuthorizationN/AGain PrivilegesN/A
Scope: Availability
Likelihood: N/A
Impact: Resource Consumption
Note: Denial of Service
Scope: Confidentiality, Integrity, Availability
Likelihood: N/A
Impact: Execute Unauthorized Commands
Note: Run Arbitrary Code
Scope: Confidentiality
Likelihood: N/A
Impact: Read Data
Note: N/A
Scope: Confidentiality, Access Control, Authorization
Likelihood: N/A
Impact: Gain Privileges
Note: N/A
▼Mitigations
Assume all input is malicious. Create an allowlist that defines all valid input to the software system based on the requirements specifications. Input that does not match against the allowlist should not be permitted to enter into the system. Test your decoding process against malicious input.
Be aware of the threat of alternative method of data encoding and obfuscation technique such as IP address encoding.
When client input is required from web-based forms, avoid using the "GET" method to submit data, as the method causes the form data to be appended to the URL and is easily manipulated. Instead, use the "POST method whenever possible.
Any security checks should occur after the data has been decoded and validated as correct data format. Do not repeat decoding process, if bad character are left after decoding process, treat the data as suspicious, and fail the validation process.
Refer to the RFCs to safely decode URL.
Regular expression can be used to match safe URL patterns. However, that may discard valid URL requests if the regular expression is too restrictive.
There are tools to scan HTTP requests to the server for valid URL such as URLScan from Microsoft (http://www.microsoft.com/technet/security/tools/urlscan.mspx).
▼Example Instances
▼Related Weaknesses
IDName
CWE-177Improper Handling of URL Encoding (Hex Encoding)
CWE-172Encoding Error
CWE-173Improper Handling of Alternate Encoding
CWE-20Improper Input Validation
CWE-22Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
CWE-697Incorrect Comparison
CWE-707Improper Neutralization
CWE-73External Control of File Name or Path
CWE-74Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')
ID: CWE-177
Name: Improper Handling of URL Encoding (Hex Encoding)
ID: CWE-172
Name: Encoding Error
ID: CWE-173
Name: Improper Handling of Alternate Encoding
ID: CWE-20
Name: Improper Input Validation
ID: CWE-22
Name: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
ID: CWE-697
Name: Incorrect Comparison
ID: CWE-707
Name: Improper Neutralization
ID: CWE-73
Name: External Control of File Name or Path
ID: CWE-74
Name: Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')
▼Taxonomy Mappings
Taxonomy NameEntry IDEntry Name
▼Notes
▼References
Reference ID: REF-1
Title: Exploiting Software: How to Break Code
Author: G. Hoglund, G. McGraw
Publication:
Publisher:Addison-Wesley
Edition:
URL:
URL Date:
Day:N/A
Month:02
Year:2004
Reference ID: REF-495
Title: URL Encoded Attacks - Attacks using the common web browser
Author: Gunter Ollmann
Publication:
Publisher:CGISecurity.com
Edition:
URL:http://www.cgisecurity.com/lib/URLEmbeddedAttacks.html
URL Date:
Day:N/A
Month:N/A
Year:N/A
Reference ID: REF-496
Title: RFC 3986 - Uniform Resource Identifier (URI): Generic Syntax
Author: T. Berners-Lee, R. Fielding, L. Masinter
Publication:
Publisher:
Edition:
URL:http://www.ietf.org/rfc/rfc3986.txt
URL Date:
Day:N/A
Month:01
Year:2005
Reference ID: REF-497
Title: RFC 1738 - Uniform Resource Locators (URL)
Author: T. Berners-Lee, L. Masinter, M. McCahill
Publication:
Publisher:
Edition:
URL:http://www.ietf.org/rfc/rfc1738.txt
URL Date:
Day:N/A
Month:12
Year:1994
Reference ID: REF-498
Title: HTML URL Encoding Reference
Author:
Publication:
W3Schools.com
Publisher:Refsnes Data
Edition:
URL:http://www.w3schools.com/tags/ref_urlencode.asp
URL Date:
Day:N/A
Month:N/A
Year:N/A
Reference ID: REF-499
Title: The URLEncode and URLDecode Page
Author:
Publication:
Publisher:Albion Research Ltd
Edition:
URL:http://www.albionresearch.com/misc/urlencode.php
URL Date:
Day:N/A
Month:N/A
Year:N/A
Reference ID: REF-500
Title: Secure Programming for Linux and Unix HOWTO
Author: David Wheeler
Publication:
Publisher:
Edition:
URL:http://www.dwheeler.com/secure-programs/Secure-Programs-HOWTO/filter-html.html#VALIDATING-URIS
URL Date:
Day:N/A
Month:N/A
Year:N/A
Details not found