Dark Mode
Capec-64 Detail
Using Slashes and URL Encoding Combined to Bypass Validation Logic
Detailed Software Likelihood: High Typical Severity: High
Parents: 267
Threats: T62 T290 T291
This attack targets the encoding of the URL combined with the encoding of the slash characters. An attacker can take advantage of the multiple ways of encoding a URL and abuse the interpretation of the URL. A URL may contain special character that need special syntax handling in order to be interpreted. Special characters are represented using a percentage character followed by two digits representing the octet code of the original character (%HEX-CODE). For instance US-ASCII space character would be represented with %20. This is often referred as escaped ending or percent-encoding. Since the server decodes the URL from the requests, it may restrict the access to some URL paths by validating and filtering out the URL requests it received. An attacker will try to craft an URL with a sequence of special characters which once interpreted by the server will be equivalent to a forbidden URL. It can be difficult to protect against this attack since the URL can contain other format of encoding such as UTF-8 encoding, Unicode-encoding, etc.
Not present
| External ID | Source | Link | Description |
|---|---|---|---|
| CAPEC-64 | capec | https://capec.mitre.org/data/definitions/64.html | |
| CWE-177 | cwe | http://cwe.mitre.org/data/definitions/177.html | |
| CWE-173 | cwe | http://cwe.mitre.org/data/definitions/173.html | |
| CWE-172 | cwe | http://cwe.mitre.org/data/definitions/172.html | |
| CWE-73 | cwe | http://cwe.mitre.org/data/definitions/73.html | |
| CWE-22 | cwe | http://cwe.mitre.org/data/definitions/22.html | |
| CWE-74 | cwe | http://cwe.mitre.org/data/definitions/74.html | |
| CWE-20 | cwe | http://cwe.mitre.org/data/definitions/20.html | |
| CWE-697 | cwe | http://cwe.mitre.org/data/definitions/697.html | |
| CWE-707 | cwe | http://cwe.mitre.org/data/definitions/707.html | |
| REF-1 | reference_from_CAPEC | G. Hoglund, G. McGraw, Exploiting Software: How to Break Code, 2004--02, Addison-Wesley | |
| REF-495 | reference_from_CAPEC | http://www.cgisecurity.com/lib/URLEmbeddedAttacks.html | Gunter Ollmann, URL Encoded Attacks - Attacks using the common web browser, CGISecurity.com |
| REF-496 | reference_from_CAPEC | http://www.ietf.org/rfc/rfc3986.txt | T. Berners-Lee, R. Fielding, L. Masinter, RFC 3986 - Uniform Resource Identifier (URI): Generic Syntax, 2005--01 |
| REF-497 | reference_from_CAPEC | http://www.ietf.org/rfc/rfc1738.txt | T. Berners-Lee, L. Masinter, M. McCahill, RFC 1738 - Uniform Resource Locators (URL), 1994--12 |
| REF-498 | reference_from_CAPEC | http://www.w3schools.com/tags/ref_urlencode.asp | HTML URL Encoding Reference, W3Schools.com, Refsnes Data |
| REF-499 | reference_from_CAPEC | http://www.albionresearch.com/misc/urlencode.php | The URLEncode and URLDecode Page, Albion Research Ltd |
| REF-500 | reference_from_CAPEC | http://www.dwheeler.com/secure-programs/Secure-Programs-HOWTO/filter-html.html#VALIDATING-URIS | David Wheeler, Secure Programming for Linux and Unix HOWTO |
Explore
-
The attacker accesses the server using a specific URL.
Experiment
-
The attacker tries to encode some special characters in the URL. The attacker find out that some characters are not filtered properly.
Exploit
-
The attacker crafts a malicious URL string request and sends it to the server.
-
The server decodes and interprets the URL string. Unfortunately since the input filtering is not done properly, the special characters have harmful consequences.
- The application accepts and decodes URL string request.
- The application performs insufficient filtering/canonicalization on the URLs.
Not present
| Low | Medium |
|---|---|
| An attacker can try special characters in the URL and bypass the URL validation. | |
| The attacker may write a script to defeat the input filtering mechanism. |
| Integrity | Availability | Authorization | Access Control | Confidentiality |
|---|---|---|---|---|
| Execute Unauthorized Commands (Run Arbitrary Code) | Resource Consumption (Denial of Service) | Gain Privileges | Gain Privileges | Execute Unauthorized Commands (Run Arbitrary Code) |
| Execute Unauthorized Commands (Run Arbitrary Code) | Read Data | |||
| Gain Privileges |
- Attack Example: Combined Encodings CesarFTP Alexandre Cesari released a freeware FTP server for Windows that fails to provide proper filtering against multiple encoding. The FTP server, CesarFTP, included a Web server component that could be attacked with a combination of the triple-dot and URL encoding attacks. An attacker could provide a URL that included a string like /...%5C/ This is an interesting exploit because it involves an aggregation of several tricks: the escape character, URL encoding, and the triple dot.See also: CVE-2001-1335