ByteOS Network

CAPEC-78:Using Escaped Slashes in Alternate Encoding

Attack Pattern ID:78

Version:v3.9

Attack Pattern Name:Using Escaped Slashes in Alternate Encoding

Abstraction:Detailed

Status:Draft

Likelihood of Attack:High

Typical Severity:High

Details Content History Related Weaknesses Reports

▼Description

This attack targets the use of the backslash in alternate encoding. An adversary can provide a backslash as a leading character and causes a parser to believe that the next character is special. This is called an escape. By using that trick, the adversary tries to exploit alternate ways to encode the same character which leads to filter problems and opens avenues to attack.

▼Relationships

Nature	Type	ID	Name
ChildOf	S	267	Leverage Alternate Encoding

Nature: ChildOf

Type: Standard

ID: 267

Name: Leverage Alternate Encoding

▼Execution Flow

Explore

Survey the application for user-controllable inputs

Using a browser, an automated tool or by inspecting the application, an adversary records all entry points to the application.

Technique
Use a spidering tool to follow and record all links and analyze the web pages to find entry points. Make special note of any links that include parameters in the URL.
Use a proxy tool to record all user input entry points visited during a manual traversal of the web application.
Use a browser to manually explore the website and analyze how it is constructed. Many browsers' plugins are available to facilitate the analysis or automate the discovery.
Manually inspect the application to find entry points.

Experiment

Probe entry points to locate vulnerabilities

The adversary uses the entry points gathered in the "Explore" phase as a target list and attempts to escape multiple different special characters using a backslash.

Technique
Escape a special character with a backslash to bypass input validation.
Try different encodings of both the backslash and the special character to see if this bypasses input validation

Exploit

Manipulate input

Once the adversary determines how to bypass filters that filter out special characters using an escaped slash, they will manipulate the user input in a way that is not intended by the application.

▼Prerequisites

The application accepts the backlash character as escape character.

The application server does incomplete input data decoding, filtering and validation.

▼Skills Required

Low

The adversary can naively try backslash character and discover that the target host uses it as escape character.

Medium

The adversary may need deep understanding of the host target in order to exploit the vulnerability. The adversary may also use automated tools to probe for this vulnerability.

▼Indicators

An adversary can use a fuzzer in order to probe for this vulnerability. The fuzzer should generate suspicious network activity noticeable by an intrusion detection system.

▼Consequences

Scope	Likelihood	Impact	Note
Confidentiality	N/A	Read Data	N/A
Availability	N/A	Resource Consumption	Denial of Service
ConfidentialityIntegrityAvailability	N/A	Execute Unauthorized Commands	Run Arbitrary Code
ConfidentialityAccess ControlAuthorization	N/A	Bypass Protection Mechanism	N/A

Scope: Confidentiality

Likelihood: N/A

Impact: Read Data

Note: N/A

Scope: Availability

Likelihood: N/A

Impact: Resource Consumption

Note: Denial of Service

Scope: Confidentiality, Integrity, Availability

Likelihood: N/A

Impact: Execute Unauthorized Commands

Note: Run Arbitrary Code

Scope: Confidentiality, Access Control, Authorization

Likelihood: N/A

Impact: Bypass Protection Mechanism

Note: N/A

▼Mitigations

Verify that the user-supplied data does not use backslash character to escape malicious characters.

Assume all input is malicious. Create an allowlist that defines all valid input to the software system based on the requirements specifications. Input that does not match against the allowlist should not be permitted to enter into the system.

Be aware of the threat of alternative method of data encoding.

Regular expressions can be used to filter out backslash. Make sure you decode before filtering and validating the untrusted input data.

In the case of path traversals, use the principle of least privilege when determining access rights to file systems. Do not allow users to access directories/files that they should not access.

Any security checks should occur after the data has been decoded and validated as correct data format. Do not repeat decoding process, if bad character are left after decoding process, treat the data as suspicious, and fail the validation process.

Avoid making decisions based on names of resources (e.g. files) if those resources can have alternate names.

▼Example Instances

▼Related Weaknesses

ID	Name
CWE-172	Encoding Error
CWE-173	Improper Handling of Alternate Encoding
CWE-180	Incorrect Behavior Order: Validate Before Canonicalize
CWE-181	Incorrect Behavior Order: Validate Before Filter
CWE-20	Improper Input Validation
CWE-22	Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
CWE-697	Incorrect Comparison
CWE-707	Improper Neutralization
CWE-73	External Control of File Name or Path
CWE-74	Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')