This site is the archived OWASP Foundation Wiki and is no longer accepting Account Requests.
To view the new OWASP Foundation website, please visit

Difference between revisions of "Custom Special Character Injection"

Jump to: navigation, search
m (Added to Injection subcategory)
Line 47: Line 47:
[[Category:Resource Manipulation]]
[[Category:Resource Manipulation]]

Latest revision as of 23:22, 8 December 2011

This is an Attack. To view all attacks, please see the Attack Category page.

Last revision (mm/dd/yy): 12/8/2011


The software does not properly filter or quote special characters or reserved words that are used in a custom or proprietary language or representation that is used by the product. That allows attackers to modify the syntax, content, or commands before they are processed by the end system.

Risk Factors




A simple example is an application which executes almost everything which is passed to it from the current terminal by the user without sanitazing and blocking user input. If the application doesn't implement appropriate signals handling, we may interrupt or suspend program execution by sending respectively Ctrl+C (^C) or Ctrl+Z (^Z) combinations. These combinations are sending signals to the application. In the first case it's SIGINT and in the second it's SIGSTOP signal.


The classic example, often used by the IRC warriors/bandits, was disconnecting modem users by sending to them a special sequence of characters. Sending via any protocol (IP) "+++ATH0" sequence caused some modems to interpret this sequence as a disconnect command. So all that had to be done was to send the sequence on an IRC channel, which in effect forced vulnerable modems to disconnect.

Related Threat Agents

Related Attacks

Related Vulnerabilities


Related Controls