This site is the archived OWASP Foundation Wiki and is no longer accepting Account Requests.
To view the new OWASP Foundation website, please visit https://owasp.org
Difference between revisions of "Unicode Encoding"
m (It seems to me that the slash inbetween the first two %C0AE is definitely superfluos) |
|||
Line 1: | Line 1: | ||
{{Template:Attack}} | {{Template:Attack}} | ||
+ | <br> | ||
+ | [[Category:OWASP ASDR Project]] | ||
+ | [[ASDR Table of Contents]]__TOC__ | ||
+ | |||
==Description== | ==Description== | ||
Line 5: | Line 9: | ||
The attack aims to explore flaws in the decode mechanism implemented on applications when decoding Unicode data format. An attacker can use this technique to encode certain characters in the URL to bypass application filters, thus accessing restricted resources on the Web server or force browsing to protected pages. | The attack aims to explore flaws in the decode mechanism implemented on applications when decoding Unicode data format. An attacker can use this technique to encode certain characters in the URL to bypass application filters, thus accessing restricted resources on the Web server or force browsing to protected pages. | ||
− | == | + | ==Risk Factors== |
High | High | ||
− | + | Likelihood of exploitation | |
− | |||
High | High | ||
Line 29: | Line 32: | ||
Other consequences of this type of attack are privilege escalation, arbitrary code execution, data modification and denial of service. | Other consequences of this type of attack are privilege escalation, arbitrary code execution, data modification and denial of service. | ||
− | + | ==Related [[Threat Agents]]== | |
− | + | * [[:Category:Command Execution]] | |
− | + | * [[:Category:Information Disclosure]] | |
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | ==Related | ||
− | |||
− | [[:Category:Command Execution]] | ||
− | |||
− | [[:Category:Information Disclosure]] | ||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | [[ | + | ==Related [[Attacks]]== |
+ | * [[Path Traversal]] | ||
+ | * [[Embedding Null Code]] | ||
− | ==Related | + | ==Related [[Vulnerabilities]]== |
+ | * [[:Category:Input Validation]] | ||
− | [[:Category:Input Validation]] | + | ==Related [[Controls]]== |
+ | * [[:Category:Input Validation]] | ||
+ | ==References == | ||
+ | * http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2000-0884 - CVE-2000-0884 | ||
+ | * http://capec.mitre.org/data/definitions/71.html - Using Unicode Encoding to Bypass Validation Logic | ||
+ | * http://www.microsoft.com/technet/security/bulletin/MS00-078.mspx - Patch Available for 'Web Server Folder Traversal' Vulnerability | ||
+ | * http://www.kb.cert.org/vuls/id/739224 - HTTP content scanning systems full-width/half-width Unicode encoding bypass | ||
+ | * http://scissec.scis.ecu.edu.au/conferences2007/documents/cheong_kai_wai_1.pdf - Penetration testing of cross site scripting and SQL injection on web application by Cheong Kai Wee | ||
+ | * http://www.cgisecurity.com/lib/URLEmbeddedAttacks.html - URL encoded attacks, by Gunter Ollmann | ||
[[Category:Resource Manipulation]] | [[Category:Resource Manipulation]] | ||
[[Category:Attack]] | [[Category:Attack]] |
Revision as of 00:46, 14 September 2008
- This is an Attack. To view all attacks, please see the Attack Category page.
ASDR Table of Contents
Description
The attack aims to explore flaws in the decode mechanism implemented on applications when decoding Unicode data format. An attacker can use this technique to encode certain characters in the URL to bypass application filters, thus accessing restricted resources on the Web server or force browsing to protected pages.
Risk Factors
High Likelihood of exploitation
High
Examples
Consider a web application that has restricted directories or files (e.g. a file containing application usernames: appusers.txt). An attacker can encode the character sequence “../” (Path Traversal Attack) using Unicode format and attempt to access the protected resource, as follows:
Original Path Traversal attack URL (without Unicode Encoding):
http://vulneapplication/../../appusers.txt
Path Traversal attack URL with Unicode Encoding:
http://vulneapplication/%C0AE%C0AE%C0AF%C0AE%C0AE%C0AFappusers.txt
The Unicode encoding for the URL above will produce the same result as the first URL (Path Traversal Attack). However, if the application has certain input security filter mechanism, it could refuse any request containing “../” sequence, thus blocking the attack. However, if this mechanism doesn’t consider character encoding, the attacker can bypass and access protected resource.
Other consequences of this type of attack are privilege escalation, arbitrary code execution, data modification and denial of service.
Related Threat Agents
Related Attacks
Related Vulnerabilities
Related Controls
References
- http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2000-0884 - CVE-2000-0884
- http://capec.mitre.org/data/definitions/71.html - Using Unicode Encoding to Bypass Validation Logic
- http://www.microsoft.com/technet/security/bulletin/MS00-078.mspx - Patch Available for 'Web Server Folder Traversal' Vulnerability
- http://www.kb.cert.org/vuls/id/739224 - HTTP content scanning systems full-width/half-width Unicode encoding bypass
- http://scissec.scis.ecu.edu.au/conferences2007/documents/cheong_kai_wai_1.pdf - Penetration testing of cross site scripting and SQL injection on web application by Cheong Kai Wee
- http://www.cgisecurity.com/lib/URLEmbeddedAttacks.html - URL encoded attacks, by Gunter Ollmann