Description

The adversary utilizes a repeating of the encoding process for a set of characters (that is, character encoding a character encoding of a character) to obfuscate the payload of a particular request. This may allow the adversary to bypass filters that attempt to detect illegal characters or strings, such as those that might be used in traversal or injection attacks. Filters may be able to catch illegal encoded strings, but may not catch doubly encoded strings. For example, a dot (.), often used in path traversal attacks and therefore often blocked by filters, could be URL encoded as %2E. However, many filters recognize this encoding and would still block the request. In a double encoding, the % in the above URL encoding would be encoded again as %25, resulting in %252E which some filters might not catch, but which could still be interpreted as a dot (.) by interpreters on the target.

Attack Execution Flow

2

1

Step 1

Explore

[Survey the application for user-controllable inputs] Using a browser, an automated tool or by inspecting the application, an attacker records all entry points to the application.
Use a spidering tool to follow and record all links and analyze the web pages to find entry points. Make special note of any links that include parameters in the URL.
Use a proxy tool to record all user input entry points visited during a manual traversal of the web application.
Use a browser to manually explore the website and analyze how it is constructed. Many browsers' plugins are available to facilitate the analysis or automate the discovery.
Manually inspect the application to find entry points.

Attack Techniques

Use a spidering tool to follow and record all links and analyze the web pages to find entry points. Make special note of any links that include parameters in the URL.
Use a proxy tool to record all user input entry points visited during a manual traversal of the web application.
IT: Utilizza uno strumento di spidering per seguire e registrare tutti i link e analizzare le pagine web per individuare punti di ingresso. Prendi nota in modo particolare di eventuali link che includono parametri nell'URL.
Use a browser to manually explore the website and analyze how it is constructed. Many browsers' plugins are available to facilitate the analysis or automate the discovery.
IT: Utilizza uno strumento di spidering per seguire e registrare tutti i link e analizzare le pagine web per individuare punti di ingresso. Prendi nota in modo particolare di eventuali link che includono parametri nell'URL.
Manually inspect the application to find entry points.
IT: Utilizza uno strumento di spidering per seguire e registrare tutti i link e analizzare le pagine web per individuare punti di ingresso. Prendi nota in modo particolare di eventuali link che includono parametri nell'URL.

2

Step 2

Experiment

[Probe entry points to locate vulnerabilities] Try double-encoding for parts of the input in order to try to get past the filters. For instance, by double encoding certain characters in the URL (e.g. dots and slashes) an adversary may try to get access to restricted resources on the web server or force browse to protected pages (thus subverting the authorization service). An adversary can also attempt other injection style attacks using this attack pattern: command injection, SQL injection, etc.
Try to use double-encoding to bypass validation routines.

Attack Techniques

Try to use double-encoding to bypass validation routines.

Mitigations

7

Be Aware Of The Threat Of Alternative Method Of Data Encoding And Obfuscation Technique Such As Ip Address Encoding.

Any Security Checks Should Occur After The Data Has Been Decoded And Validated As Correct Data Format. Do Not Repeat Decoding Process, If Bad Character Are Left After Decoding Process, Treat The Data As Suspicious, And Fail The Validation Process.

Regular Expression Can Be Used To Match Safe Url Patterns. However, That May Discard Valid Url Requests If The Regular Expression Is Too Restrictive.

Assume All Input Is Malicious. Create An Allowlist That Defines All Valid Input To The Software System Based On The Requirements Specifications. Input That Does Not Match Against The Allowlist Should Not Be Permitted To Enter Into The System. Test Your Decoding Process Against Malicious Input.

When Client Input Is Required From Web-Based Forms, Avoid Using The "Get" Method To Submit Data, As The Method Causes The Form Data To Be Appended To The Url And Is Easily Manipulated. Instead, Use The "Post Method Whenever Possible.

Refer To The Rfcs To Safely Decode Url.

There Are Tools To Scan Http Requests To The Server For Valid Url Such As Urlscan From Microsoft (Http://Www.Microsoft.Com/Technet/Security/Tools/Urlscan.Mspx).

Consequences

Relationships

Resources Required

1

CAPEC 120 Double Encoding

Description

Attack Execution Flow

Step 1

Attack Techniques

Step 2

Attack Techniques

Mitigations

Be Aware Of The Threat Of Alternative Method Of Data Encoding And Obfuscation Technique Such As Ip Address Encoding.

Any Security Checks Should Occur After The Data Has Been Decoded And Validated As Correct Data Format. Do Not Repeat Decoding Process, If Bad Character Are Left After Decoding Process, Treat The Data As Suspicious, And Fail The Validation Process.

Regular Expression Can Be Used To Match Safe Url Patterns. However, That May Discard Valid Url Requests If The Regular Expression Is Too Restrictive.

Assume All Input Is Malicious. Create An Allowlist That Defines All Valid Input To The Software System Based On The Requirements Specifications. Input That Does Not Match Against The Allowlist Should Not Be Permitted To Enter Into The System. Test Your Decoding Process Against Malicious Input.

When Client Input Is Required From Web-Based Forms, Avoid Using The "Get" Method To Submit Data, As The Method Causes The Form Data To Be Appended To The Url And Is Easily Manipulated. Instead, Use The "Post Method Whenever Possible.

Refer To The Rfcs To Safely Decode Url.

There Are Tools To Scan Http Requests To The Server For Valid Url Such As Urlscan From Microsoft (Http://Www.Microsoft.Com/Technet/Security/Tools/Urlscan.Mspx).

Consequences

Consequence Information

Relationships

Parent CAPECs

Resources Required

CAPEC 120 Double Encoding

Description

Attack Execution Flow

Step 1

Attack Techniques

Step 2

Attack Techniques

Mitigations

Be Aware Of The Threat Of Alternative Method Of Data Encoding And Obfuscation Technique Such As Ip Address Encoding.

Any Security Checks Should Occur After The Data Has Been Decoded And Validated As Correct Data Format. Do Not Repeat Decoding Process, If Bad Character Are Left After Decoding Process, Treat The Data As Suspicious, And Fail The Validation Process.

Regular Expression Can Be Used To Match Safe Url Patterns. However, That May Discard Valid Url Requests If The Regular Expression Is Too Restrictive.

Assume All Input Is Malicious. Create An Allowlist That Defines All Valid Input To The Software System Based On The Requirements Specifications. Input That Does Not Match Against The Allowlist Should Not Be Permitted To Enter Into The System. Test Your Decoding Process Against Malicious Input.

When Client Input Is Required From Web-Based Forms, Avoid Using The "Get" Method To Submit Data, As The Method Causes The Form Data To Be Appended To The Url And Is Easily Manipulated. Instead, Use The "Post Method Whenever Possible.

Refer To The Rfcs To Safely Decode Url.

There Are Tools To Scan Http Requests To The Server For Valid Url Such As Urlscan From Microsoft (Http://Www.Microsoft.Com/Technet/Security/Tools/Urlscan.Mspx).

Consequences

Consequence Information

Relationships

Parent CAPECs

Resources Required

Iscriviti alla newsletter