This site is the archived OWASP Foundation Wiki and is no longer accepting Account Requests.
To view the new OWASP Foundation website, please visit https://owasp.org

Difference between revisions of "Double Encoding"

From OWASP
Jump to: navigation, search
m
 
(3 intermediate revisions by 2 users not shown)
Line 1: Line 1:
[http://s1.shard.jp/bireba/avguard-antivirus.html how to remove symantec antivirus
+
{{stub}}
] [http://s1.shard.jp/frhorton/q8nii8ad3.html my children my africa
 
] [http://s1.shard.jp/bireba/nortonantivirus.html download norton antivirus updates
 
] [http://s1.shard.jp/galeach/new2.html asian female myspace.com oregon site
 
] [http://s1.shard.jp/frhorton/mgsbz3g84.html educational african american quote
 
] [http://s1.shard.jp/losaul/weight-loss-medication.html australian girls names
 
] [http://s1.shard.jp/frhorton/5hrrb99yl.html south africa tourism
 
] [http://s1.shard.jp/bireba/symantec-antivirus.html norton antivirus corporate edition 7.5
 
] [http://s1.shard.jp/olharder/chery-automobile.html custom auto body work fl
 
] [http://s1.shard.jp/galeach/new147.html austin asian massage tx
 
] [http://s1.shard.jp/olharder/autoroll-654.html links] [http://s1.shard.jp/olharder/autoroll-654.html top] [http://s1.shard.jp/frhorton/x5dh8y75v.html slavery in africa in the 1800s
 
] [http://s1.shard.jp/galeach/new159.html asian recipes for children
 
] [http://s1.shard.jp/olharder/autoroll-654.html url] [http://s1.shard.jp/olharder/autoroll-654.html url] [http://s1.shard.jp/olharder/autopilots-for.html auto paint for sale
 
] [http://s1.shard.jp/olharder/autoroll-654.html sitemap] [http://s1.shard.jp/frhorton/bc7zse5ug.html african scholarships
 
] [http://s1.shard.jp/bireba/panda-software.html panda titanium 2006 antivirus crack
 
] [http://s1.shard.jp/losaul/consolidated-travel.html glory hole locations australia
 
] [http://s1.shard.jp/olharder/automatic-direction.html auto lift springs
 
] [http://s1.shard.jp/olharder/autoroll-654.html links] [http://s1.shard.jp/losaul/informed-sources.html australian service sector are productivity leaders
 
] [http://s1.shard.jp/galeach/new30.html south asia tribune proxy server
 
] [http://s1.shard.jp/frhorton/1aql7wt5f.html zambian embassy in south africa
 
] [http://s1.shard.jp/frhorton/91rryr9x4.html african imports uk] [http://s1.shard.jp/galeach/new50.html african and asian elephants
 
] [http://s1.shard.jp/losaul/australian-bull.html quokka newspaper australia
 
] [http://s1.shard.jp/frhorton/4dqjbtjm2.html south africa for kids
 
] [http://s1.shard.jp/losaul/jamberoo-recreation.html australian live music
 
] [http://s1.shard.jp/galeach/new24.html asian beach community type
 
] [http://s1.shard.jp/galeach/new43.html reward management asia
 
] [http://s1.shard.jp/losaul/australian-club.html big day out australia 2005
 
] [http://s1.shard.jp/bireba/mcafee-free-antivirus.html manually uninstall symantec antivirus corporate 9
 
] [http://s1.shard.jp/bireba/map.html clam antivirus
 
] [http://s1.shard.jp/olharder/autoroll-654.html page] [http://s1.shard.jp/galeach/new166.html blasia costumes
 
] [http://s1.shard.jp/bireba/antivirus-software.html antivirus sofware
 
] [http://s1.shard.jp/bireba/antivirus-small.html symantec antivirus auto protect is disabled
 
] [http://s1.shard.jp/frhorton/9rxlvcl6n.html etv news south africa
 
] [http://s1.shard.jp/bireba/download-norton.html quickheal antivirus free download
 
] [http://s1.shard.jp/olharder/auto-insurance.html automatic cappuccino coffee espresso maker
 
] [http://s1.shard.jp/olharder/dacoma-automotive.html performance auto and sound models
 
] [http://s1.shard.jp/losaul/australia-from.html whos who in australia
 
] [http://s1.shard.jp/galeach/new20.html asian journalist
 
] [http://s1.shard.jp/olharder/aa-auto-route-planner.html automobile custom paint jobs
 
] [http://s1.shard.jp/frhorton/lmi1tnyfh.html africa disease image in
 
] [http://s1.shard.jp/losaul/australia-transcriber.html australia car hand second
 
 
http://www.textorellirocaco.com
 
{{Template:Attack}}
 
  
 
Last revision: '''{{REVISIONMONTH}}/{{REVISIONDAY}}/{{REVISIONYEAR}}'''
 
Last revision: '''{{REVISIONMONTH}}/{{REVISIONDAY}}/{{REVISIONYEAR}}'''
Line 51: Line 8:
 
This attack technique consists of encoding user request parameters twice in hexadecimal format in order to bypass security controls or cause unexpected behavior from the application. It's possible because the webserver accepts and processes client requests in many encoded forms.
 
This attack technique consists of encoding user request parameters twice in hexadecimal format in order to bypass security controls or cause unexpected behavior from the application. It's possible because the webserver accepts and processes client requests in many encoded forms.
  
By using double encoding it’s possible to bypass security filters that only decode user input once. The second decoding process is executed by the backend platform or modules that properly handle encoded data, but don't have the corresponding security checks in place.
+
By using double encoding it’s possible to bypass security filters that only decode user input once. The second decoding process is executed by the backend platform or modules that properly handle encoded data, but don't have the corresponding security checks in place.
 
   
 
   
 
Attackers can inject double encoding in pathnames or query strings to bypass the authentication schema and security filters in use by the web application.
 
Attackers can inject double encoding in pathnames or query strings to bypass the authentication schema and security filters in use by the web application.
  
There are some common characters sets that are used in Web applications attacks. For example, [[Path Traversal]] attacks  use “../” (dot-dot-slash) , while [[Cross-site Scripting (XSS)|XSS]] attacks use “<” and “>” characters. These characters give a hexadecimal representation that differs from normal data.  
+
There are some common characters sets that are used in Web applications attacks. For example, [[Path Traversal]] attacks  use ../(dot-dot-slash) , while [[Cross-site Scripting (XSS)|XSS]] attacks use <and >characters. These characters give a hexadecimal representation that differs from normal data.  
  
For example, “../” (dot-dot-slash) characters represent %2E%2E%2f in hexadecimal representation. When the % symbol is encoded again, its representation in hexadecimal code is %25. The result from the double encoding process ”../”(dot-dot-slash) would be %252E%252E%252F:
+
For example, ../(dot-dot-slash) characters represent %2E%2E%2f in hexadecimal representation. When the % symbol is encoded again, its representation in hexadecimal code is %25. The result from the double encoding process ../(dot-dot-slash) would be %252E%252E%252F:
 
   
 
   
* The hexadecimal encoding of “../” represents "%2E%2E%2f"
+
* The hexadecimal encoding of ../represents "%2E%2E%2f"
  
* Then encoding the “%” represents "%25"
+
* Then encoding the %represents "%25"
  
* Double encoding of “../” represents "%252E%252E%252F"
+
* Double encoding of ../represents "%252E%252E%252F"
  
 
==Risk Factors==
 
==Risk Factors==
Line 74: Line 31:
 
This example presents an old well-known vulnerability found in IIS versions 4.0 and 5.0, where an attacker could bypass an authorization schema and gain access to any file on the same drive as the web root directory due to an issue with the decoding mechanism. For more details about folder traversal vulnerability, see [http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2001-0333  CVE 2001-0333].  
 
This example presents an old well-known vulnerability found in IIS versions 4.0 and 5.0, where an attacker could bypass an authorization schema and gain access to any file on the same drive as the web root directory due to an issue with the decoding mechanism. For more details about folder traversal vulnerability, see [http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2001-0333  CVE 2001-0333].  
  
In this scenario, the victim has a published executable directory (e.g. cgi) that’s stored on the same partition as the Windows system folder. An attacker could execute arbitrary commands on the web server by submitting the following URL:  
+
In this scenario, the victim has a published executable directory (e.g. cgi) that’s stored on the same partition as the Windows system folder. An attacker could execute arbitrary commands on the web server by submitting the following URL:  
  
 
Original URL:
 
Original URL:
Line 80: Line 37:
 
  <nowiki>http://victim/cgi/../../winnt/system32/cmd.exe?/c+dir+c:\</nowiki>
 
  <nowiki>http://victim/cgi/../../winnt/system32/cmd.exe?/c+dir+c:\</nowiki>
  
However, the application uses a security check filter that refuses requests containing characters like “../”. By double encoding the URL, it’s possible to bypass security the filter:
+
However, the application uses a security check filter that refuses requests containing characters like ../. By double encoding the URL, it’s possible to bypass security the filter:
  
 
Double encoded URL:
 
Double encoded URL:
Line 91: Line 48:
 
  <script>alert('XSS')</script>
 
  <script>alert('XSS')</script>
  
This malicious code could be inserted into a vulnerable application,  resulting in an alert window with the message “XSS”. However, the web application can have a character filter which prohibits characters such as “< “, “>” and “/”, since they are used to perform web application attacks. The attacker could use a double encoding technique to bypass the filter and exploit the client’s session. The encoding process for this Java script is:
+
This malicious code could be inserted into a vulnerable application,  resulting in an alert window with the message “XSS”. However, the web application can have a character filter which prohibits characters such as < , >and /, since they are used to perform web application attacks. The attacker could use a double encoding technique to bypass the filter and exploit the client’s session. The encoding process for this Java script is:
  
 
<table >
 
<table >
Line 103: Line 60:
  
 
<tr>
 
<tr>
<td colspan=30> “<” </td>
+
<td colspan=30> <</td>
<td colspan=40> “%3C” </td>
+
<td colspan=40> %3C” </td>
<td colspan=50%> “%25” </td>
+
<td colspan=50%> %25” </td>
<td colspan=50%> “%253C” </td>
+
<td colspan=50%> %253C” </td>
 
</tr>
 
</tr>
  
 
<tr>
 
<tr>
<td colspan=30> “/” </td>
+
<td colspan=30> /</td>
<td colspan=40> “%2F” </td>
+
<td colspan=40> %2F” </td>
<td colspan=50%> “%25” </td>
+
<td colspan=50%> %25” </td>
<td colspan=50%> “%252F” </td>
+
<td colspan=50%> %252F” </td>
 
</tr>
 
</tr>
  
 
<tr>
 
<tr>
<td colspan=30> “>” </td>
+
<td colspan=30> ></td>
<td colspan=40> “%3E” </td>
+
<td colspan=40> %3E” </td>
<td colspan=50%> “%25” </td>
+
<td colspan=50%> %25” </td>
<td colspan=50%> “%253E” </td>
+
<td colspan=50%> %253E” </td>
 
</tr>
 
</tr>
  
Line 150: Line 107:
  
 
[[Category:Resource Manipulation]]
 
[[Category:Resource Manipulation]]
[[Category:Attack]]
 
 
__NOTOC__
 
__NOTOC__

Latest revision as of 14:54, 11 November 2014

This article is a stub. You can help OWASP by expanding it or discussing it on its Talk page.


Last revision: 11/11/2014

Description

This attack technique consists of encoding user request parameters twice in hexadecimal format in order to bypass security controls or cause unexpected behavior from the application. It's possible because the webserver accepts and processes client requests in many encoded forms.

By using double encoding it’s possible to bypass security filters that only decode user input once. The second decoding process is executed by the backend platform or modules that properly handle encoded data, but don't have the corresponding security checks in place.

Attackers can inject double encoding in pathnames or query strings to bypass the authentication schema and security filters in use by the web application.

There are some common characters sets that are used in Web applications attacks. For example, Path Traversal attacks use “../” (dot-dot-slash) , while XSS attacks use “<” and “>” characters. These characters give a hexadecimal representation that differs from normal data.

For example, “../” (dot-dot-slash) characters represent %2E%2E%2f in hexadecimal representation. When the % symbol is encoded again, its representation in hexadecimal code is %25. The result from the double encoding process ”../”(dot-dot-slash) would be %252E%252E%252F:

  • The hexadecimal encoding of “../” represents "%2E%2E%2f"
  • Then encoding the “%” represents "%25"
  • Double encoding of “../” represents "%252E%252E%252F"

Risk Factors

TBD

Examples

Example 1

This example presents an old well-known vulnerability found in IIS versions 4.0 and 5.0, where an attacker could bypass an authorization schema and gain access to any file on the same drive as the web root directory due to an issue with the decoding mechanism. For more details about folder traversal vulnerability, see CVE 2001-0333.

In this scenario, the victim has a published executable directory (e.g. cgi) that’s stored on the same partition as the Windows system folder. An attacker could execute arbitrary commands on the web server by submitting the following URL:

Original URL:

http://victim/cgi/../../winnt/system32/cmd.exe?/c+dir+c:\

However, the application uses a security check filter that refuses requests containing characters like “../”. By double encoding the URL, it’s possible to bypass security the filter:

Double encoded URL:

http://victim/cgi/%252E%252E%252F%252E%252E%252Fwinnt/system32/cmd.exe?/c+dir+c:\ 

Example 2

A double encoded URL can be used to perform an XSS attack in order to bypass a built-in XSS detection module. Depending on the implementation, the first decoding process is performed by HTTP protocol and the resultant encoded URL will bypass the XSS filter, since it has no mechanisms to improve detection. A simple example XSS would be:

<script>alert('XSS')</script>

This malicious code could be inserted into a vulnerable application, resulting in an alert window with the message “XSS”. However, the web application can have a character filter which prohibits characters such as “< “, “>” and “/”, since they are used to perform web application attacks. The attacker could use a double encoding technique to bypass the filter and exploit the client’s session. The encoding process for this Java script is:

Char Hex encode Then encoding '%' Double encode
“<” “%3C” “%25” “%253C”
“/” “%2F” “%25” “%252F”
“>” “%3E” “%25” “%253E”

Finally, the malicious double encoding code is:

%253Cscript%253Ealert('XSS')%253C%252Fscript%253E

Related Threat Agents

Related Attacks

Related Vulnerabilities

  • TBD

Related Controls

References