Common Attack Pattern Enumeration and Classification
A Community Resource for Identifying and Understanding Attacks
This attack leverages the possibility to encode potentially harmful input and submit it to applications not expecting or effective at validating this encoding standard making input filtering difficult.
Microsoft Internet Explorer 5.01 SP4, 6, 6 SP1, and 7 does not properly handle unspecified "encoding strings," which allows remote attackers to bypass the Same Origin Policy and obtain sensitive information via a crafted web site, aka "Post Encoding Information Disclosure Vulnerability." Related Vulnerabilities CVE-2010-0488
Skill or Knowledge Level: Low
An attacker can inject different representation of a filtered character in a different encoding.
Skill or Knowledge Level: Medium
An attacker may craft subtle encoding of input data by using the knowledge that he/she has gathered about the target host.
Attacker may try to inject dangerous characters using different encoding using (example of invalid UTF-8 characters, overlong UTF-8, Chinese characters in Big-5, etc.). The attacker hopes that the targeted system does poor input filtering for all the different possible representations of the malicious characters. Malicious inputs can be sent through an HTML form, directly encoded in the URL or as part of a database query. The attacker can use scripts or automated tools to probe for poor input filtering.
Assume all input might use an improper representation. Use canonicalized data inside the application; all data must be converted into the representation used inside the application (UTF-8, UTF-16, etc.)
Assume all input is malicious. Create a white list that defines all valid input to the software system based on the requirements specifications. Input that does not match against the white list should not be permitted to enter into the system. Test your decoding process against malicious input.
[R.267.1] [REF-1] "WASC Threat Classification 2.0". WASC-20 - Improper Input Handling. The Web Application Security Consortium (WASC). 2010. <http://projects.webappsec.org/Improper-Input-Handling>.
[R.267.2] [REF-4] "OWASP". Category: Encoding. The Open Web Application Security Project (OWASP). <http://www.owasp.org/index.php/Category:Encoding>.
[R.267.3] [REF-4] "OWASP". Canonicalization, locale and Unicode. The Open Web Application Security Project (OWASP). <http://www.owasp.org/index.php/Canonicalization,_locale_and_Unicode>.
[R.267.4] [REF-4] "OWASP". XSS (Cross Site Scripting) Prevention Cheat Sheet. The Open Web Application Security Project (OWASP). <http://www.owasp.org/index.php/XSS_(Cross_Site_Scripting)_Prevention_Cheat_Sheet>.
[R.267.5] [REF-18] David Wheeler. "Secure Programming for Linux and Unix HOWTO". Chapter 5 Section 9: Character Encoding. <http://www.dwheeler.com/secure-programs/Secure-Programs-HOWTO/character-encoding.html>.
[R.267.6] [REF-6] "Wikipedia". Character encoding. The Wikimedia Foundation, Inc. <http://en.wikipedia.org/wiki/Character_encoding>.
More information is available — Please select a different filter.