Home > CAPEC List > CAPEC-64: Using Slashes and URL Encoding Combined to Bypass Validation Logic (Version 3.0)  

CAPEC-64: Using Slashes and URL Encoding Combined to Bypass Validation Logic

Attack Pattern ID: 64
Abstraction: Detailed
Status: Draft
Presentation Filter:
+ Description
This attack targets the encoding of the URL combined with the encoding of the slash characters. An attacker can take advantage of the multiple ways of encoding a URL and abuse the interpretation of the URL. A URL may contain special character that need special syntax handling in order to be interpreted. Special characters are represented using a percentage character followed by two digits representing the octet code of the original character (%HEX-CODE). For instance US-ASCII space character would be represented with %20. This is often referred as escaped ending or percent-encoding. Since the server decodes the URL from the requests, it may restrict the access to some URL paths by validating and filtering out the URL requests it received. An attacker will try to craft an URL with a sequence of special characters which once interpreted by the server will be equivalent to a forbidden URL. It can be difficult to protect against this attack since the URL can contain other format of encoding such as UTF-8 encoding, Unicode-encoding, etc.
+ Likelihood Of Attack

High

+ Typical Severity

High

+ Relationships

The table(s) below shows the other attack patterns and high level categories that are related to this attack pattern. These relationships are defined as ChildOf, ParentOf, MemberOf and give insight to similar items that may exist at higher and lower levels of abstraction. In addition, relationships such as CanFollow, PeerOf, and CanAlsoBe are defined to show similar attack patterns that the user may want to explore.

+ Relevant to the view "Mechanisms of Attack" (CAPEC-1000)
NatureTypeIDName
ChildOfStandard Attack PatternStandard Attack Pattern - A standard level attack pattern in CAPEC is focused on a specific methodology or technique used in an attack. It is often seen as a singular piece of a fully executed attack. A standard attack pattern is meant to provide sufficient details to understand the specific technique and how it attempts to accomplish a desired goal. A standard level attack pattern is a specific type of a more abstract meta level attack pattern.267Leverage Alternate Encoding
PeerOfDetailed Attack PatternDetailed Attack Pattern - A detailed level attack pattern in CAPEC provides a low level of detail, typically leveraging a specific technique and targeting a specific technology, and expresses a complete execution flow. Detailed attack patterns are more specific than meta attack patterns and standard attack patterns and often require a specific protection mechanism to mitigate actual attacks. A detailed level attack pattern often will leverage a number of different standard level attack patterns chained together to accomplish a goal.80Using UTF-8 Encoding to Bypass Validation Logic
+ Execution Flow
Explore
  1. The attacker accesses the server using a specific URL.

Experiment
  1. The attacker tries to encode some special characters in the URL. The attacker find out that some characters are not filtered properly.

Exploit
  1. The attacker crafts a malicious URL string request and sends it to the server.

  2. The server decodes and interprets the URL string. Unfortunately since the input filtering is not done properly, the special characters have harmful consequences.

+ Prerequisites
The application accepts and decodes URL string request.
The application performs insufficient filtering/canonicalization on the URLs.
+ Skills Required
[Level: Low]
An attacker can try special characters in the URL and bypass the URL validation.
[Level: Medium]
The attacker may write a script to defeat the input filtering mechanism.
+ Indicators
If the first decoding process has left some invalid or blacklisted characters, that may be a sign that the request is malicious.
Traffic filtering with IDS (or proxy) can detect requests with suspicious URLs. IDS may use signature based identification to reveal such URL based attacks.
+ Consequences

The table below specifies different individual consequences associated with the attack pattern. The Scope identifies the security property that is violated, while the Impact describes the negative technical impact that arises if an adversary succeeds in their attack. The Likelihood provides information about how likely the specific consequence is expected to be seen relative to the other consequences in the list. For example, there may be high likelihood that a pattern will be used to achieve a certain impact, but a low likelihood that it will be exploited to achieve a different impact.

ScopeImpactLikelihood
Availability
Resource Consumption
Confidentiality
Integrity
Availability
Execute Unauthorized Commands
Confidentiality
Read Data
Confidentiality
Access Control
Authorization
Gain Privileges
+ Mitigations
Assume all input is malicious. Create a white list that defines all valid input to the software system based on the requirements specifications. Input that does not match against the white list should not be permitted to enter into the system. Test your decoding process against malicious input.
Be aware of the threat of alternative method of data encoding and obfuscation technique such as IP address encoding.
When client input is required from web-based forms, avoid using the "GET" method to submit data, as the method causes the form data to be appended to the URL and is easily manipulated. Instead, use the "POST method whenever possible.
Any security checks should occur after the data has been decoded and validated as correct data format. Do not repeat decoding process, if bad character are left after decoding process, treat the data as suspicious, and fail the validation process.
Refer to the RFCs to safely decode URL.
Regular expression can be used to match safe URL patterns. However, that may discard valid URL requests if the regular expression is too restrictive.
There are tools to scan HTTP requests to the server for valid URL such as URLScan from Microsoft (http://www.microsoft.com/technet/security/tools/urlscan.mspx).
+ Example Instances

Attack Example: Combined Encodings CesarFTP

Alexandre Cesari released a freeware FTP server for Windows that fails to provide proper filtering against multiple encoding. The FTP server, CesarFTP, included a Web server component that could be attacked with a combination of the triple-dot and URL encoding attacks.

An attacker could provide a URL that included a string like

/...%5C/

This is an interesting exploit because it involves an aggregation of several tricks: the escape character, URL encoding, and the triple dot.

See also: CVE-2001-1335
+ References
[REF-1] G. Hoglund and G. McGraw. "Exploiting Software: How to Break Code". Addison-Wesley. 2004-02.
[REF-495] Gunter Ollmann. "URL Encoded Attacks - Attacks using the common web browser". CGISecurity.com. <http://www.cgisecurity.com/lib/URLEmbeddedAttacks.html>.
[REF-496] T. Berners-Lee, R. Fielding and L. Masinter. "RFC 3986 - Uniform Resource Identifier (URI): Generic Syntax". 2005-01. <http://www.ietf.org/rfc/rfc3986.txt>.
[REF-497] T. Berners-Lee, L. Masinter and M. McCahill. "RFC 1738 - Uniform Resource Locators (URL)". 1994-12. <http://www.ietf.org/rfc/rfc1738.txt>.
[REF-498] "HTML URL Encoding Reference". URL Encoding Reference. W3Schools.com. Refsnes Data. <http://www.w3schools.com/tags/ref_urlencode.asp>.
[REF-499] "The URLEncode and URLDecode Page". Albion Research Ltd. <http://www.albionresearch.com/misc/urlencode.php>.
[REF-500] David Wheeler. "Secure Programming for Linux and Unix HOWTO". 5.11.4. Validating Hypertext Links (URIs/URLs). <http://www.dwheeler.com/secure-programs/Secure-Programs-HOWTO/filter-html.html#VALIDATING-URIS>.
+ Content History
Submissions
Submission DateSubmitterOrganization
2014-06-23CAPEC Content TeamThe MITRE Corporation
Modifications
Modification DateModifierOrganization
2017-01-09CAPEC Content TeamThe MITRE Corporation
Updated Related_Attack_Patterns
2017-08-04CAPEC Content TeamThe MITRE Corporation
Updated Description Summary
2018-07-31CAPEC Content TeamThe MITRE Corporation
Updated Obfuscation_Techniques, References

More information is available — Please select a different filter.
Page Last Updated or Reviewed: July 31, 2018