This attack targets the encoding of the URL combined with the encoding of the slash characters. An attacker can take advantage of the multiple ways of encoding a URL and abuse the interpretation of the URL. A URL may contain special character that need special syntax handling in order to be interpreted. Special characters are represented using a percentage character followed by two digits representing the octet code of the original character (%HEX-CODE). For instance US-ASCII space character would be represented with %20. This is often referred as escaped ending or percent-encoding. Since the server decodes the URL from the requests, it may restrict the access to some URL paths by validating and filtering out the URL requests it received. An attacker will try to craft an URL with a sequence of special characters which once interpreted by the server will be equivalent to a forbidden URL. It can be difficult to protect against this attack since the URL can contain other format of encoding such as UTF-8 encoding, Unicode-encoding, etc.
Description
Attack Execution Flow
Step 1
ExploreThe attacker accesses the server using a specific URL.
L'attaccante accede al server utilizzando un URL specifico.
Step 2
ExperimentThe attacker tries to encode some special characters in the URL. The attacker find out that some characters are not filtered properly.
L'attaccante cerca di codificare alcuni caratteri speciali nell'URL. L'attaccante scopre che alcuni caratteri non sono filtrati correttamente.
Step 3
ExploitThe attacker crafts a malicious URL string request and sends it to the server.
L'attaccante crea una richiesta di stringa URL dannosa e la invia al server.
Step 4
ExploitThe server decodes and interprets the URL string. Unfortunately since the input filtering is not done properly, the special characters have harmful consequences.
Il server decodifica e interpreta la stringa URL. Sfortunatamente, poiché il filtraggio dell'input non viene eseguito correttamente, i caratteri speciali hanno conseguenze dannose.