Dark Mode
Capec-120 Detail
Double Encoding
Detailed Software Likelihood: Low Typical Severity: Medium
Parents: 267
Threats: T62 T263 T290 T291 T307
The adversary utilizes a repeating of the encoding process for a set of characters (that is, character encoding a character encoding of a character) to obfuscate the payload of a particular request. This may allow the adversary to bypass filters that attempt to detect illegal characters or strings, such as those that might be used in traversal or injection attacks. Filters may be able to catch illegal encoded strings, but may not catch doubly encoded strings. For example, a dot (.), often used in path traversal attacks and therefore often blocked by filters, could be URL encoded as %2E. However, many filters recognize this encoding and would still block the request. In a double encoding, the % in the above URL encoding would be encoded again as %25, resulting in %252E which some filters might not catch, but which could still be interpreted as a dot (.) by interpreters on the target.
Not present
| External ID | Source | Link | Description |
|---|---|---|---|
| CAPEC-120 | capec | https://capec.mitre.org/data/definitions/120.html | |
| CWE-173 | cwe | http://cwe.mitre.org/data/definitions/173.html | |
| CWE-172 | cwe | http://cwe.mitre.org/data/definitions/172.html | |
| CWE-177 | cwe | http://cwe.mitre.org/data/definitions/177.html | |
| CWE-181 | cwe | http://cwe.mitre.org/data/definitions/181.html | |
| CWE-183 | cwe | http://cwe.mitre.org/data/definitions/183.html | |
| CWE-184 | cwe | http://cwe.mitre.org/data/definitions/184.html | |
| CWE-74 | cwe | http://cwe.mitre.org/data/definitions/74.html | |
| CWE-20 | cwe | http://cwe.mitre.org/data/definitions/20.html | |
| CWE-697 | cwe | http://cwe.mitre.org/data/definitions/697.html | |
| CWE-692 | cwe | http://cwe.mitre.org/data/definitions/692.html |
Explore
-
Survey the application for user-controllable inputs: Using a browser, an automated tool or by inspecting the application, an attacker records all entry points to the application.
| Techniques |
|---|
| Use a spidering tool to follow and record all links and analyze the web pages to find entry points. Make special note of any links that include parameters in the URL. |
| Use a proxy tool to record all user input entry points visited during a manual traversal of the web application. |
| Use a browser to manually explore the website and analyze how it is constructed. Many browsers' plugins are available to facilitate the analysis or automate the discovery. |
| Manually inspect the application to find entry points. |
Experiment
-
Probe entry points to locate vulnerabilities: Try double-encoding for parts of the input in order to try to get past the filters. For instance, by double encoding certain characters in the URL (e.g. dots and slashes) an adversary may try to get access to restricted resources on the web server or force browse to protected pages (thus subverting the authorization service). An adversary can also attempt other injection style attacks using this attack pattern: command injection, SQL injection, etc.
| Techniques |
|---|
| Try to use double-encoding to bypass validation routines. |
- The target's filters must fail to detect that a character has been doubly encoded but its interpreting engine must still be able to convert a doubly encoded character to an un-encoded character.
- The application accepts and decodes URL string request.
- The application performs insufficient filtering/canonicalization on the URLs.
- Tools that automate encoding of data can assist the adversary in generating encoded strings.
Not present
Not present
- Double Enconding Attacks can often be used to bypass Cross Site Scripting (XSS) detection and execute XSS attacks.: %253Cscript%253Ealert('This is an XSS Attack')%253C%252Fscript%253E Since <, <, and / are often sued to perform web attacks, these may be captured by XSS filters. The use of double encouding prevents the filter from working as intended and allows the XSS to bypass dectection. This can allow an adversary to execute malicious code.