This site is the archived OWASP Foundation Wiki and is no longer accepting Account Requests.
To view the new OWASP Foundation website, please visit https://owasp.org

Difference between revisions of "Unicode Encoding"

From OWASP
Jump to: navigation, search
(Related Attacks)
m (Reverted edits by ZelsiTcc4t (Talk) to last version by KirstenS)
 
(15 intermediate revisions by 4 users not shown)
Line 1: Line 1:
 
{{Template:Attack}}
 
{{Template:Attack}}
 +
<br>
 +
[[Category:OWASP ASDR Project]]
  
==Description==
 
  
The attack aims to explore flaws in the decode mechanism implemented on applications when decoding Unicode data format. An attacker can use this technique to encode certain characters in the URL to bypass application filters, thus accessing restricted resources on the Web server or force browsing to protected pages.
+
Last revision (mm/dd/yy): '''{{REVISIONMONTH}}/{{REVISIONDAY}}/{{REVISIONYEAR}}'''
  
 +
==Description==
 +
The attack aims to explore flaws in the decoding mechanism implemented on applications when decoding Unicode data format. An attacker can use this technique to encode certain characters in the URL to bypass application filters, thus accessing restricted resources on the Web server or to force browsing to protected pages.
  
 
==Examples ==
 
==Examples ==
 
+
Consider a web application which has restricted directories or files (e.g. a file containing application usernames: appusers.txt). An attacker can encode the character sequence “../” ([[Path Traversal]] Attack) using Unicode format and attempt to access the protected resource, as follows:
Consider a web application that has restricted directories or files (e.g. a file containing application usernames: appusers.txt). An attacker can encode the character sequence “../” (Path Traversal Attack) using Unicode format and attempt to access the protected resource, as follows:
 
  
 
Original Path Traversal attack URL (without Unicode Encoding):
 
Original Path Traversal attack URL (without Unicode Encoding):
Line 16: Line 18:
 
Path Traversal attack URL with Unicode Encoding:
 
Path Traversal attack URL with Unicode Encoding:
  
  <nowiki>http://vulneapplication/%C0AE/%C0AE%C0AF%C0AE%C0AE%C0AFappusers.txt</nowiki>
+
  <nowiki>http://vulneapplication/%C0AE%C0AE%C0AF%C0AE%C0AE%C0AFappusers.txt</nowiki>
 
 
The Unicode encoding for the URL above will produce the same result as the first URL (Path Traversal Attack). However, if the application has certain input security filter mechanism, it could refuse any request containing “../” sequence, thus blocking the attack. However, if this mechanism doesn’t consider character encoding, the attacker can bypass and access protected resource.
 
 
 
Other consequences of this type of attack are privilege escalation, arbitrary code execution, data modification and denial of service.
 
 
 
 
 
==External References ==
 
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2000-0884 - CVE-2000-0884
 
 
 
http://capec.mitre.org/data/definitions/71.html - Using Unicode Encoding to Bypass Validation Logic
 
 
 
http://www.microsoft.com/technet/security/bulletin/MS00-078.mspx - Patch Available for 'Web Server Folder Traversal' Vulnerability
 
 
 
http://www.kb.cert.org/vuls/id/739224 - HTTP content scanning systems full-width/half-width Unicode encoding bypass
 
 
 
http://scissec.scis.ecu.edu.au/conferences2007/documents/cheong_kai_wai_1.pdf - Penetration testing of cross site scripting and SQL injection on web application by Cheong Kai Wee
 
 
 
http://www.cgisecurity.com/lib/URLEmbeddedAttacks.html - URL encoded attacks, by Gunter Ollmann
 
 
 
  
==Related Threats==
+
The Unicode encoding for the URL above will produce the same result as the first URL (Path Traversal Attack). However, if the application has an input security filter mechanism, it could refuse any request containing “../” sequence, thus blocking the attack. However, if this mechanism doesn’t consider character encoding, the attacker can bypass and access protected resource.
  
[[:Category:Command Execution]]
+
Other consequences of this type of attack are privilege escalation, arbitrary code execution, data modification, and denial of service.
  
[[:Category:Information Disclosure]]
+
==Related [[Threat Agents]]==
 +
* [[:Category:Command Execution]]
 +
* [[:Category:Information Disclosure]]
 +
[[Category:FIXME|these links don't exist]]
  
 +
==Related [[Attacks]]==
 +
* [[Path Traversal]]
 +
* [[Embedding Null Code]]
  
==Related Attacks==
+
==Related [[Vulnerabilities]]==
 +
* [[:Category:Input Validation Vulnerability]]
  
*[[Path Traversal]]
+
==Related [[Controls]]==
*[[Embedding Null Code]]
+
* [[:Category:Input Validation]]
  
==Related Vulnerabilities==
+
==References ==
 +
* http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2000-0884 - CVE-2000-0884
 +
* http://capec.mitre.org/data/definitions/71.html - Using Unicode Encoding to Bypass Validation Logic
 +
* http://www.microsoft.com/technet/security/bulletin/MS00-078.mspx - Patch Available for 'Web Server Folder Traversal' Vulnerability
 +
* http://www.kb.cert.org/vuls/id/739224 - HTTP content scanning systems full-width/half-width Unicode encoding bypass
 +
* http://www.cgisecurity.com/lib/URLEmbeddedAttacks.html - URL encoded attacks, by Gunter Ollmann
  
[[:Category:Input Validation]]
 
  
 +
[[Category:FIXME|link not working
  
==Related Countermeasures==
+
* http://scissec.scis.ecu.edu.au/conferences2007/documents/cheong_kai_wai_1.pdf - Penetration testing of cross site scripting and SQL injection on web application by Cheong Kai Wee
  
[[:Category:Input Validation]]
+
]]
  
  
==Categories=
+
[[Category:Resource Manipulation]]
  
[[:Category:Resource Manipulation]]
+
[[Category:Attack]]

Latest revision as of 19:55, 26 May 2009

This is an Attack. To view all attacks, please see the Attack Category page.



Last revision (mm/dd/yy): 05/26/2009

Description

The attack aims to explore flaws in the decoding mechanism implemented on applications when decoding Unicode data format. An attacker can use this technique to encode certain characters in the URL to bypass application filters, thus accessing restricted resources on the Web server or to force browsing to protected pages.

Examples

Consider a web application which has restricted directories or files (e.g. a file containing application usernames: appusers.txt). An attacker can encode the character sequence “../” (Path Traversal Attack) using Unicode format and attempt to access the protected resource, as follows:

Original Path Traversal attack URL (without Unicode Encoding):

http://vulneapplication/../../appusers.txt

Path Traversal attack URL with Unicode Encoding:

http://vulneapplication/%C0AE%C0AE%C0AF%C0AE%C0AE%C0AFappusers.txt

The Unicode encoding for the URL above will produce the same result as the first URL (Path Traversal Attack). However, if the application has an input security filter mechanism, it could refuse any request containing “../” sequence, thus blocking the attack. However, if this mechanism doesn’t consider character encoding, the attacker can bypass and access protected resource.

Other consequences of this type of attack are privilege escalation, arbitrary code execution, data modification, and denial of service.

Related Threat Agents

Related Attacks

Related Vulnerabilities

Related Controls

References