This attack targets the encoding of the Slash characters. An attacker
would try to exploit common filtering problems related to the use of the
slashes characters to gain access to resources on the target host.
Directory-driven systems, such as file systems and databases, typically use
the slash character to indicate traversal between directories or other
container components. For murky historical reasons, PCs (and, as a result,
Microsoft OSs) choose to use a backslash, whereas the UNIX world typically
makes use of the forward slash. The schizophrenic result is that many
MS-based systems are required to understand both forms of the slash. This
gives the attacker many opportunities to discover and abuse a number of
common filtering problems. The goal of this pattern is to discover server
software that only applies filters to one version, but not the other.
Attack Execution Flow
The attacker has access to a resource path and
required to use slashes as resource
delimiter.
The attacker tries variation and combination of
the slashes characters in different encoding
format.
The attacker found an unfiltered combination which
maps to a valid path and accesses unauthorized
resources (directories, files, etc.)
Attack Prerequisites
The application server accepts paths to locate resources.
The application server does insufficient input data validation on the
resource path requested by the user.
The access right to resources are not set properly.
Typical Likelihood of Exploit
Likelihood: High
Methods of Attack
Injection
Protocol Manipulation
API Abuse
Examples-Instances
Description
The two following requests are equivalent on most Web servers:
Multiple encoding conversion problems can also be leveraged as various
slashes are instantiated in URL-encoded, UTF-8, or unicode. Consider the
strings
An attacker can try variation of the slashes characters.
Skill or Knowledge Level: Medium
An attacker can use more sophisticated tool or script to scan a
website and find a path filtering problem.
Probing Techniques
Description
An attacker can try different encoding formats for the slashes
characters and see if they produce the same filtering results.
Description
Automated tools such as fuzzer can be used to test the URL decoding
and filtering. Custom scripts can also be used. For example, a good
script for verifying the correct interpretation of UTF-8 encoded
characters can be found at
http://www.cl.cam.ac.uk/~mgk25/ucs/examples/UTF-8-test.txt
Indicators-Warnings of Attack
Description
If the first path decoding process has left some invalid or
blacklisted characters, that may be a sign that the request is
malicious.
Description
Traffic filtering with IDS (or proxy) can detect request with
suspicious URLs. IDS may use signature based identification to reveal
such URL based attacks.
Description
A attacker can use a fuzzer in order to probe for a UTF-8 encoding
vulnerability. The fuzzer should generate suspiscious network
activity.
Obfuscation Techniques
Description
Typically the obfuscation here is the use of different alternate
encoding format (UTF-8, Unicode, etc,)
Solutions and Mitigations
Any security checks should occur after the data has been decoded and
validated as correct data format. Do not repeat decoding process, if bad
character are left after decoding process, treat the data as suspicious, and
fail the validation process. Refer to the RFCs to safelly decode URL.
When client input is required from web-based forms, avoid using the "GET"
method to submit data, as the method causes the form data to be appended to
the URL and is easily manipulated. Instead, use the "POST method whenever
possible.
There are tools to scan HTTP requests to the server for valid URL such as
URLScan from Microsoft
(http://www.microsoft.com/technet/security/tools/urlscan.mspx)
Be aware of the threat of alternative method of data encoding and
obfuscation technique such as IP address endoding. (See related guideline
section)
Test your path decoding process against malicious input.
In the case of path traversals, use the principle of least privilege when
determining access rights to file systems. Do not allow users to access
directories/files that they should not access.
Assume all input is malicious. Create a white list that defines all valid
input to the application based on the requirements specifications. Input
that does not match against the white list should not be permitted to enter
into the system.
Attack Motivation-Consequences
Scope
Technical Impact
Note
Confidentiality
Read application
data
Confidentiality
Integrity
Availability
Execute unauthorized code or
commands
Confidentiality
Access_Control
Authorization
Gain privileges / assume
identity
Injection Vector
The injection vector is a string path such as URL path.
Payload
The injection vector is a string path with malicious slashes characters.
Alternate encoding format can also be used to code the slashes
characters.
Payload Activation Impact
Description
The impact of the payload is access to unauthorized resources.
Description
