Home > CAPEC List > CAPEC-120: Double Encoding (Version 2.11)  

CAPEC-120: Double Encoding

Double Encoding
Definition in a New Window Definition in a New Window
Attack Pattern ID: 120
Abstraction: Detailed
Status: Draft
Completeness: Stub
Presentation Filter:
+ Summary

The adversary utilizes a repeating of the encoding process for a set of characters (that is, character encoding a character encoding of a character) to obfuscate the payload of a particular request. The may allow the adversary to bypass filters that attempt to detect illegal characters or strings, such as might be used in traversal or injection attacks. Filters may be able to catch illegal encoded strings but may not catch doubly encoded strings. For example, a dot (.), often used in path traversal attacks and therefore often blocked by filters, could be URL encoded as %2E. However, many filters recognize this encoding and would still block the request. In a double encoding, the % in the above URL encoding would be encoded again as %25, resulting in %252E which some filters might not catch, but which could still be interpreted as a dot (.) by interpreters on the target.

+ Attack Steps
  1. Try double-encoding for parts of the input in order to try to get past the filters. For instance, by double encoding certain characters in the URL (e.g. dots and slashes) an adversary may try to get access to restricted resources on the web server or force browse to protected pages (thus subverting the authorization service). An adversary can also attempt other injection style attacks using this attack pattern: command injection, SQL injection, etc.

+ Attack Prerequisites
  • The target's filters must fail to detect that a character has been doubly encoded but its interpreting engine must still be able to convert a doubly encoded character to an un-encoded character.

+ Typical Severity


+ Resources Required

Tools that automate encoding of data can assist the adversary in generating encoded strings.

+ Content History
CAPEC Content TeamThe MITRE Corporation2014-06-23Internal_CAPEC_Team
CAPEC Content TeamThe MITRE Corporation2017-08-04Updated Attack_Phases, Description Summary, Resources_RequiredInternal

More information is available — Please select a different filter.
Page Last Updated or Reviewed: July 31, 2017