This attack targets the encoding of the URL. An adversary can take advantage of the multiple way of encoding an URL and abuse the interpretation of the URL.
Extended Description
A URL may contain special character that need special syntax handling in order to be interpreted. Special characters are represented using a percentage character followed by two digits representing the octet code of the original character (%HEX-CODE).
For instance US-ASCII space character would be represented with %20. This is often referred as escaped ending or percent-encoding. Since the server decodes the URL from the requests, it may restrict the access to some URL paths by validating and filtering out the URL requests it received. An adversary will try to craft an URL with a sequence of special characters which once interpreted by the server will be equivalent to a forbidden URL.
It can be difficult to protect against this attack since the URL can contain other format of encoding such as UTF-8 encoding, Unicode-encoding, etc. The adversary could also subvert the meaning of the URL string request by encoding the data being sent to the server through a GET request. For instance an adversary may subvert the meaning of parameters used in a SQL request and sent through the URL string (See Example section).
Likelihood Of Attack
High
Typical Severity
High
Relationships
This table shows the other attack patterns and high level categories that are related to this attack pattern. These relationships are defined as ChildOf and ParentOf, and give insight to similar items that may exist at higher and lower levels of abstraction. In addition, relationships such as CanFollow, PeerOf, and CanAlsoBe are defined to show similar attack patterns that the user may want to explore.
Nature
Type
ID
Name
ChildOf
Standard Attack Pattern - A standard level attack pattern in CAPEC is focused on a specific methodology or technique used in an attack. It is often seen as a singular piece of a fully executed attack. A standard attack pattern is meant to provide sufficient details to understand the specific technique and how it attempts to accomplish a desired goal. A standard level attack pattern is a specific type of a more abstract meta level attack pattern.
Survey web application for URLs with parameters: Using a browser, an automated tool or by inspecting the application, an adversary records all URLs that contain parameters.
Techniques
Use a spidering tool to follow and record all links and analyze the web pages to find entry points. Make special note of any links that include parameters in the URL.
Experiment
Probe URLs to locate vulnerabilities: The adversary uses the URLs gathered in the "Explore" phase as a target list and tests parameters with different encodings of special characters to see how the web application will handle them.
Techniques
Use URL encodings of special characters such as semi-colons, backslashes, or question marks that might be filtered out normally.
Combine the use of URL encodings with other encoding techniques such as the triple dot and escape slashes.
Exploit
Inject special characters into URL parameters: Using the information gathered in the "Experiment" phase, the adversary injects special characters into the URL using URL encoding. This can lead to path traversal, cross-site scripting, SQL injection, etc.
Prerequisites
The application should accepts and decodes URL input.
The application performs insufficient filtering/canonicalization on the URLs.
Skills Required
[Level: Low]
An adversary can try special characters in the URL and bypass the URL validation.
[Level: Medium]
The adversary may write a script to defeat the input filtering mechanism.
Indicators
If the first decoding process has left some invalid or denylisted characters, that may be a sign that the request is malicious.
Traffic filtering with IDS (or proxy) can detect requests with suspicious URLs. IDS may use signature based identification to reveal such URL based attacks.
Consequences
This table specifies different individual consequences associated with the attack pattern. The Scope identifies the security property that is violated, while the Impact describes the negative technical impact that arises if an adversary succeeds in their attack. The Likelihood provides information about how likely the specific consequence is expected to be seen relative to the other consequences in the list. For example, there may be high likelihood that a pattern will be used to achieve a certain impact, but a low likelihood that it will be exploited to achieve a different impact.
Scope
Impact
Likelihood
Confidentiality
Read Data
Availability
Resource Consumption
Confidentiality
Integrity
Availability
Execute Unauthorized Commands
Confidentiality
Access Control
Authorization
Gain Privileges
Mitigations
Refer to the RFCs to safely decode URL.
Regular expression can be used to match safe URL patterns. However, that may discard valid URL requests if the regular expression is too restrictive.
There are tools to scan HTTP requests to the server for valid URL such as URLScan from Microsoft (http://www.microsoft.com/technet/security/tools/urlscan.mspx).
Any security checks should occur after the data has been decoded and validated as correct data format. Do not repeat decoding process, if bad character are left after decoding process, treat the data as suspicious, and fail the validation process.
Assume all input is malicious. Create an allowlist that defines all valid input to the software system based on the requirements specifications. Input that does not match against the allowlist should not be permitted to enter into the system. Test your decoding process against malicious input.
Be aware of the threat of alternative method of data encoding and obfuscation technique such as IP address encoding. (See related guideline section)
When client input is required from web-based forms, avoid using the "GET" method to submit data, as the method causes the form data to be appended to the URL and is easily manipulated. Instead, use the "POST method whenever possible.
Example Instances
URL Encodings in IceCast MP3 Server.
The following type of encoded string has been known traverse directories against the IceCast MP3 server9:
Original database query in the example file - "login.asp": SQLQuery = "SELECT preferences FROM logintable WHERE userid='" & Request.QueryString("userid") & "' AND password='" & Request.QueryString("password") & "';"
Executed database query: SELECT preferences FROM logintable WHERE userid='bob'; update logintable set password='0wn3d';
From "URL encoded attacks", by Gunter Ollmann - http://www.cgisecurity.com/lib/URLEmbeddedAttacks.html
Combined Encodings CesarFTP
Alexandre Cesari released a freeware FTP server for Windows that fails to provide proper filtering against multiple encoding. The FTP server, CesarFTP, included a Web server component that could be attacked with a combination of the triple-dot and URL encoding attacks.
An adversary could provide a URL that included a string like
/...%5C/
This is an interesting exploit because it involves an aggregation of several tricks: the escape character, URL encoding, and the triple dot.
A Related Weakness relationship associates a weakness with this attack pattern. Each association implies a weakness that must exist for a given attack to be successful. If multiple weaknesses are associated with the attack pattern, then any of the weaknesses (but not necessarily all) may be present for the attack to be successful. Each related weakness is identified by a CWE identifier.
CAPEC mappings to ATT&CK techniques leverage an inheritance model to streamline and minimize direct CAPEC/ATT&CK mappings. Inheritance of a mapping is indicated by text stating that the parent CAPEC has relevant ATT&CK mappings. Note that the ATT&CK Enterprise Framework does not use an inheritance model as part of the mapping to CAPEC.
Relevant to the ATT&CK taxonomy mapping (see
parent
)
References
[REF-1] G. Hoglund and
G. McGraw. "Exploiting Software: How to Break Code". Addison-Wesley. 2004-02.
[REF-496] T. Berners-Lee, R. Fielding
and L. Masinter. "RFC 3986 - Uniform Resource Identifier (URI): Generic Syntax". 2005-01.
<http://www.ietf.org/rfc/rfc3986.txt>.
[REF-497] T. Berners-Lee, L. Masinter
and M. McCahill. "RFC 1738 - Uniform Resource Locators (URL)". 1994-12.
<http://www.ietf.org/rfc/rfc1738.txt>.