Failure to Handle URL Encoding (Hex Encoding) |
| Weakness ID: 177 (Weakness Variant) | Status: Draft |
DescriptionDescription Summary
Time of Introduction- Implementation
Applicable PlatformsLanguages
All
Observed Examples| Reference | Description |
|---|---|
| CVE-2000-0900 | Hex-encoded path traversal variants - "%2e%2e", "%2e%2e%2f", "%5c%2e%2e" |
| CVE-2005-2256 | Hex-encoded path traversal variants - "%2e%2e", "%2e%2e%2f", "%5c%2e%2e" |
| CVE-2004-2121 | Hex-encoded path traversal variants - "%2e%2e", "%2e%2e%2f", "%5c%2e%2e" |
| CVE-2004-0280 | "%20" (encoded space) |
| CVE-2003-0424 | "%20" (encoded space) |
| CVE-2001-0693 | "%20" (encoded space) |
| CVE-2001-0778 | "%20" (encoded space) |
| CVE-2002-1831 | Crash via hex-encoded space "%20". |
| CVE-2000-0671 | "%00" (encoded null) |
| CVE-2004-0189 | "%00" (encoded null) |
| CVE-2002-1291 | "%00" (encoded null) |
| CVE-2002-1031 | "%00" (encoded null) |
| CVE-2001-1140 | "%00" (encoded null) |
| CVE-2004-0760 | "%00" (encoded null) |
| CVE-2002-1025 | "%00" (encoded null) |
| CVE-2002-1213 | "%2f" (encoded slash) |
| CVE-2004-0072 | "%5c" (encoded backslash) and "%2e" (encoded dot) sequences |
| CVE-2004-0847 | "%5c" (encoded backslash) |
| CVE-2002-1575 | "%0a" (overlaps CRLF) |
Potential MitigationsAvoid making decisions based on names of resources (e.g. files) if those resources can have alternate names. |
Phase: Architecture and Design Assume all input is malicious. Use a standard input validation mechanism to validate all input for length, type, syntax, and business rules before accepting the data to be displayed or stored. Use an "accept known good" validation strategy. |
Use and specify a strong output encoding (such as ISO 8859-1 or UTF 8). |
Do not rely exclusively on blacklist validation to detect malicious input or to encode output. There are too many variants to encode a character; you're likely to miss some variants. |
Inputs should be decoded and canonicalized to the application's current internal representation before being validated. Make sure that your application does not decode the same input twice. Such errors could be used to bypass whitelist schemes by introducing dangerous inputs after they have been checked. |
Relationships| Nature | Type | ID | Name | View(s) this relationship pertains to |
|---|---|---|---|---|
| ChildOf |  Weakness Class | 172 | Encoding Error | Development Concepts (primary)699 Research Concepts (primary)1000 |
Taxonomy Mappings| Mapped Taxonomy Name | Node ID | Fit | Mapped Node Name |
|---|---|---|---|
| PLOVER | URL Encoding (Hex Encoding) |
Related Attack Patterns Content History| Submissions | ||||
|---|---|---|---|---|
| Submission Date | Submitter | Organization | Source | |
| PLOVER | Externally Mined | |||
| Modifications | ||||
| Modification Date | Modifier | Organization | Source | |
| 2008-07-01 | Eric Dalci | Cigital | External | |
| updated Potential Mitigations, Time of Introduction | ||||
| 2008-08-15 | Veracode | External | ||
| Suggested OWASP Top Ten 2004 mapping | ||||
| 2008-09-08 | CWE Content Team | MITRE | Internal | |
| updated Relationships, Observed Example, Taxonomy Mappings | ||||
| 2009-07-27 | CWE Content Team | MITRE | Internal | |
| updated Potential Mitigations | ||||
| Previous Entry Names | ||||
| Change Date | Previous Entry Name | |||
| 2008-04-11 | URL Encoding (Hex Encoding) | |||
