An attacker exploits weaknesses in input validation by manipulating the
content of request parameters for the purpose of undermining the security of
the target. Some parameter encodings use text characters as separators. For
example, parameters in a HTTP GET message are encoded as name-value pairs
separated by an ampersand (&). If an attacker can supply text
strings that are used to fill in these parameters, then they can inject
special characters used in the encoding scheme to add or modify parameters.
For example, if user input is fed directly into an HTTP GET request and the
user provides the value "myInput&new_param=myValue", then the input
parameter is set to myInput, but a new parameter (new_param) is also added
with a value of myValue. This can significantly change the meaning of the
query that is processed by the server. Any encoding scheme where parameters
are identified and separated by text characters is potentially vulnerable to
this attack - the HTTP GET encoding used above is just one example.
Attack Prerequisites
The target application must use a parameter encoding where separators and
parameter identifiers are expressed in regular text.
The target application must accept a string as user input, fail to
sanitize characters that have a special meaning in the parameter encoding,
and insert the user-supplied string in an encoding which is then
processed.
Resources Required
No special resources are required beyond the ability to provide string input
to the target.
Vision and Technical Leadership provided by Cigital, Inc.
This Web site is hosted by The MITRE Corporation.
Copyright 2009, The MITRE Corporation. CAPEC and the CAPEC logo are trademarks of The MITRE Corporation.
Description
