This site is the archived OWASP Foundation Wiki and is no longer accepting Account Requests.
To view the new OWASP Foundation website, please visit https://owasp.org

Double Encoding

From OWASP
Revision as of 16:30, 9 June 2006 by Weilin Zhong (talk | contribs)

(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
Jump to: navigation, search
This is an Attack. To view all attacks, please see the Attack Category page.


Description

Using double encoding to bypass security checks that only decoded user input once. The decoded user input will pass this security checks and then later be used in backend platforms or modules that understand the encoding but don't have the corresponding security checks in place.

Examples

  • Use double URL encoded XSS script to bypass a built-in XSS detection module. The first layer of the encodings will be decoded by the HTTP protocol and the resultant URL encoded script will be able to pass the built-in XSS detection module and gets into the application. If this script is returned to a victim user by the application later, the script is going to fire on the victim's browser.
  • CAN-2004-1938 - "%2527" (double-encoded single quote) used in SQL injection.
  • CVE-2001-0333 - Directory traversal using double encoding.

For more details, see PLOVER - Double Encoding

Related Threats

Attackers try to bypass some security checks.

Related Attacks

Related Vulnerabilities

SQL Injection XSS

Related Countermeasures

Input Validation

Categories

This article is a stub. You can help OWASP by expanding it or discussing it on its Talk page.
Retrieved from "https://wiki.owasp.org/index.php?title=Double_Encoding&oldid=5732"