This attack targets the encoding of the URL. An adversary can take advantage of the multiple way of encoding an URL and abuse the interpretation of the URL.
Description
Attack Execution Flow
3
1
Step 1
Explore[Survey web application for URLs with parameters] Using a browser, an automated tool or by inspecting the application, an adversary records all URLs that contain parameters.
Use a spidering tool to follow and record all links and analyze the web pages to find entry points. Make special note of any links that include parameters in the URL.
AI Translation
[Indagine sull'applicazione web per URL con parametri] Utilizzando un browser, uno strumento automatizzato o ispezionando l'applicazione, un adversary registra tutti gli URL che contengono parametri.
Utilizza uno strumento di spidering per seguire e registrare tutti i link e analizzare le pagine web per trovare punti di ingresso. Prendi nota in particolare di eventuali link che includono parametri nell'URL.
Attack Techniques
-
Use a spidering tool to follow and record all links and analyze the web pages to find entry points. Make special note of any links that include parameters in the URL.
2
Step 2
Experiment[Probe URLs to locate vulnerabilities] The adversary uses the URLs gathered in the 'Explore' phase as a target list and tests parameters with different encodings of special characters to see how the web application will handle them.
Use URL encodings of special characters such as semi-colons, backslashes, or question marks that might be filtered out normally.
Combine the use of URL encodings with other encoding techniques such as the triple dot and escape slashes.
AI Translation
[Probe URL per individuare vulnerabilità] L'avversario utilizza gli URL raccolti nella fase "Esplora" come lista di obiettivi e testa i parametri con diverse codifiche di caratteri speciali per verificare come l'applicazione web li gestisce.
Utilizza codifiche URL di caratteri speciali come punto e virgola, backslash o punto interrogativo che potrebbero essere normalmente filtrati.
Combina l'uso delle codifiche URL con altre tecniche di codifica come i triple dot e l'escape degli slash.
Attack Techniques
-
Use URL encodings of special characters such as semi-colons, backslashes, or question marks that might be filtered out normally.
-
Combine the use of URL encodings with other encoding techniques such as the triple dot and escape slashes.IT: Utilizzare codifiche URL di caratteri speciali come punto e virgola (%3B), backslash (%5C) o punto interrogativo (%3F) che potrebbero essere normalmente filtrati.
3
Step 3
Exploit[Inject special characters into URL parameters] Using the information gathered in the 'Experiment' phase, the adversary injects special characters into the URL using URL encoding. This can lead to path traversal, cross-site scripting, SQL injection, etc.
AI Translation
[Inserimento di caratteri speciali nei parametri URL] Utilizzando le informazioni raccolte nella fase di "Experiment", l'avversario inserisce caratteri speciali nell'URL tramite codifica URL. Ciò può portare a path traversal, cross-site scripting, SQL injection, ecc.
Mitigations
7
Regular Expression Can Be Used To Match Safe Url Patterns. However, That May Discard Valid Url Requests If The Regular Expression Is Too Restrictive.
Any Security Checks Should Occur After The Data Has Been Decoded And Validated As Correct Data Format. Do Not Repeat Decoding Process, If Bad Character Are Left After Decoding Process, Treat The Data As Suspicious, And Fail The Validation Process.
Be Aware Of The Threat Of Alternative Method Of Data Encoding And Obfuscation Technique Such As Ip Address Encoding. (See Related Guideline Section)
There Are Tools To Scan Http Requests To The Server For Valid Url Such As Urlscan From Microsoft (Http://Www.Microsoft.Com/Technet/Security/Tools/Urlscan.Mspx).
Assume All Input Is Malicious. Create An Allowlist That Defines All Valid Input To The Software System Based On The Requirements Specifications. Input That Does Not Match Against The Allowlist Should Not Be Permitted To Enter Into The System. Test Your Decoding Process Against Malicious Input.
Refer To The Rfcs To Safely Decode Url.
When Client Input Is Required From Web-Based Forms, Avoid Using The "Get" Method To Submit Data, As The Method Causes The Form Data To Be Appended To The Url And Is Easily Manipulated. Instead, Use The "Post Method Whenever Possible.
Consequences
Security Scopes Affected
Access Control
Authorization
Availability
Confidentiality
Integrity
Potential Impacts
Execute Unauthorized Commands
Gain Privileges
Read Data
Resource Consumption
Indicators
2
Traffic filtering with IDS (or proxy) can detect requests with suspicious URLs. IDS may use signature based identification to reveal such URL based attacks.
If the first decoding process has left some invalid or denylisted characters, that may be a sign that the request is malicious.