Using Slashes and URL Encoding Combined to Bypass Validation Logic |
Attack Pattern ID: 64 (Detailed Attack Pattern Completeness: Complete) | Typical Severity: High | Status: Draft |
Summary
This attack targets the encoding of the URL combined with the encoding of the slash characters. An attacker can take advantage of the multiple way of encoding an URL and abuse the interpretation of the URL. An URL may contain special character that need special syntax handling in order to be interpreted. Special characters are represented using a percentage character followed by two digits representing the octet code of the original character (%HEX-CODE). For instance US-ASCII space character would be represented with %20. This is often referred as escaped ending or percent-encoding. Since the server decodes the URL from the requests, it may restrict the access to some URL paths by validating and filtering out the URL requests it received. An attacker will try to craft an URL with a sequence of special characters which once interpreted by the server will be equivalent to a forbidden URL. It can be difficult to protect against this attack since the URL can contain other format of encoding such as UTF-8 encoding, Unicode-encoding, etc.
Attack Execution Flow
The attacker accesses the server using a specific URL.
The attacker tries to encode some special characters in the URL. The attacker find out that some characters are not filtered properly.
The attacker crafts a malicious URL string request and sends it to the server.
The server decodes and interprets the URL string. Unfortunately since the input filtering is not done properly, the special characters have harmful consequences.
The application accepts and decodes URL string request.
The application performs insufficient filtering/canonicalization on the URLs.
Description
Attack Example: Combined Encodings CesarFTP
Alexandre Cesari released a freeware FTP server for Windows that fails to provide proper filtering against multiple encoding. The FTP server, CesarFTP, included a Web server component that could be attacked with a combination of the triple-dot and URL encoding attacks.
An attacker could provide a URL that included a string like
This is an interesting exploit because it involves an aggregation of several tricks—the escape character, URL encoding, and the triple dot.
Related Vulnerabilities
CVE-2001-1335
Skill or Knowledge Level: Low
An attacker can try special characters in the URL and bypass the URL validation.
Skill or Knowledge Level: Medium
The attacker may write a script to defeat the input filtering mechanism.
An attacker can manually inject special characters in the URL string request and observe the results of the request.
Custom scripts can also be used. For example, a good script for verifying the correct interpretation of UTF-8 encoded characters can be found at http://www.cl.cam.ac.uk/~mgk25/ucs/examples/UTF-8-test.txt
Automated tools such as fuzzer can be used to test the URL decoding and filtering.
If the first decoding process has left some invalid or blacklisted characters, that may be a sign that the request is malicious.
Traffic filtering with IDS (or proxy) can detect requests with suspicious URLs. IDS may use signature based identification to reveal such URL based attacks.
Sometime the percent escaping can be used to obfuscate the attack itself.
Alternative method of data encoding can be used.
Obfuscation technique such as IP address encoding can also be used (See reference section : "URL encoded attacks", by Gunter Ollmann).
Assume all input is malicious. Create a white list that defines all valid input to the software system based on the requirements specifications. Input that does not match against the white list should not be permitted to enter into the system. Test your decoding process against malicious input.
Be aware of the threat of alternative method of data encoding and obfuscation technique such as IP address encoding.
When client input is required from web-based forms, avoid using the "GET" method to submit data, as the method causes the form data to be appended to the URL and is easily manipulated. Instead, use the "POST method whenever possible.
Any security checks should occur after the data has been decoded and validated as correct data format. Do not repeat decoding process, if bad character are left after decoding process, treat the data as suspicious, and fail the validation process.
Refer to the RFCs to safelly decode URL.
Regular expression can be used to match safe URL patterns. However, that may discard valid URL requests if the regular expression is too restrictive.
There are tools to scan HTTP requests to the server for valid URL such as URLScan from Microsoft (http://www.microsoft.com/technet/security/tools/urlscan.mspx).
- Information Leakage
- Denial of Service
- Run Arbitrary Code
- Information Leakage
- Privilege Escalation
CWE-ID | Weakness Name | Weakness Relationship Type |
---|---|---|
177 | Failure to Handle URL Encoding (Hex Encoding) | Targeted |
171 | Cleansing, Canonicalization, and Comparison Errors | Targeted |
173 | Failure to Handle Alternate Encoding | Targeted |
172 | Encoding Error | Targeted |
73 | External Control of File Name or Path | Targeted |
21 | Pathname Traversal and Equivalence Errors | Targeted |
22 | Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') | Targeted |
74 | Failure to Sanitize Data into a Different Plane ('Injection') | Targeted |
20 | Improper Input Validation | Targeted |
697 | Insufficient Comparison | Targeted |
707 | Improper Enforcement of Message or Data Structure | Targeted |
Nature | Type | ID | Name | Description | View(s) this relationship pertains to |
---|---|---|---|---|---|
PeerOf | Attack Pattern | 43 | Exploiting Multiple Input Interpretation Layers | Mechanism of Attack1000 | |
PeerOf | Attack Pattern | 71 | Using Unicode Encoding to Bypass Validation Logic | Mechanism of Attack1000 | |
ChildOf | Attack Pattern | 72 | URL Encoding | Mechanism of Attack1000 | |
PeerOf | Attack Pattern | 72 | URL Encoding | Mechanism of Attack1000 | |
PeerOf | Attack Pattern | 79 | Using Slashes in Alternate Encoding | Mechanism of Attack1000 | |
ChildOf | Attack Pattern | 79 | Using Slashes in Alternate Encoding | Mechanism of Attack1000 | |
ChildOf | Category | 126 | Path Traversal | Mechanism of Attack (primary)1000 | |
ChildOf | Attack Pattern | 267 | Leverage Alternate Encoding | Mechanism of Attack (primary)1000 | |
PeerOf | Attack Pattern | 78 | Using Escaped Slashes in Alternate Encoding | Mechanism of Attack1000 | |
PeerOf | Attack Pattern | 80 | Using UTF-8 Encoding to Bypass Validation Logic | Mechanism of Attack1000 |
CWE - Input Validation
URL encoded attacks, by Gunter Ollmann - http://www.cgisecurity.com/lib/URLEmbeddedAttacks.html
Uniform Resource Identifier (URI): Generic Syntax, RFC 3886 - http://www.ietf.org/rfc/rfc3986.txt
URL Uniform Resource Locators (URL) RFC - http://rfc.net/rfc1738.html
URL encoding reference - http://www.w3schools.com/tags/ref_urlencode.asp
The URLEncode and URLDecode Page - http://www.albionresearch.com/misc/urlencode.php
David Wheeler - Validating URIs - http://www.dwheeler.com/secure-programs/Secure-Programs-HOWTO/filter-html.html#VALIDATING-URIS
Submissions | ||||
---|---|---|---|---|
Submitter | Organization | Date | ||
G. Hoglund and G. McGraw. Exploiting Software: How to Break Code. Addison-Wesley, February 2004. | Cigital, Inc | 2007-03-01 |
Modifications | |||||
---|---|---|---|---|---|
Modifier | Organization | Date | Comments | ||
Eric Dalci | Cigital, Inc | 2007-02-13 | Fleshed out content to CAPEC schema from the original descriptions in "Exploiting Software" | ||
Sean Barnum | Cigital, Inc | 2007-03-05 | Review and revise | ||
Richard Struse | VOXEM, Inc | 2007-03-26 | Review and feedback leading to changes in Name | ||
Sean Barnum | Cigital, Inc | 2007-04-13 | Modified pattern content according to review and feedback |