This site is the archived OWASP Foundation Wiki and is no longer accepting Account Requests.
To view the new OWASP Foundation website, please visit https://owasp.org

Difference between revisions of "Unicode Encoding"

From OWASP
Jump to: navigation, search
(Related Attacks)
Line 5: Line 5:
 
The attack aims to explore flaws in the decode mechanism implemented on applications when decoding Unicode data format. An attacker can use this technique to encode certain characters in the URL to bypass application filters, thus accessing restricted resources on the Web server or force browsing to protected pages.
 
The attack aims to explore flaws in the decode mechanism implemented on applications when decoding Unicode data format. An attacker can use this technique to encode certain characters in the URL to bypass application filters, thus accessing restricted resources on the Web server or force browsing to protected pages.
  
 +
== Severity ==
 +
 +
High
 +
 +
== Likelihood of exploitation ==
 +
 +
High
  
 
==Examples ==
 
==Examples ==
Line 21: Line 28:
  
 
Other consequences of this type of attack are privilege escalation, arbitrary code execution, data modification and denial of service.
 
Other consequences of this type of attack are privilege escalation, arbitrary code execution, data modification and denial of service.
 
  
 
==External References ==
 
==External References ==
Line 35: Line 41:
  
 
http://www.cgisecurity.com/lib/URLEmbeddedAttacks.html - URL encoded attacks, by Gunter Ollmann  
 
http://www.cgisecurity.com/lib/URLEmbeddedAttacks.html - URL encoded attacks, by Gunter Ollmann  
 
  
 
==Related Threats==
 
==Related Threats==
Line 42: Line 47:
  
 
[[:Category:Information Disclosure]]
 
[[:Category:Information Disclosure]]
 
  
 
==Related Attacks==
 
==Related Attacks==
Line 52: Line 56:
  
 
[[:Category:Input Validation]]
 
[[:Category:Input Validation]]
 
  
 
==Related Countermeasures==
 
==Related Countermeasures==
Line 59: Line 62:
  
  
==Categories=
+
[[Category:Resource Manipulation]]
  
[[:Category:Resource Manipulation]]
+
[[Category:Attack]]

Revision as of 17:57, 5 November 2007

This is an Attack. To view all attacks, please see the Attack Category page.


Description

The attack aims to explore flaws in the decode mechanism implemented on applications when decoding Unicode data format. An attacker can use this technique to encode certain characters in the URL to bypass application filters, thus accessing restricted resources on the Web server or force browsing to protected pages.

Severity

High

Likelihood of exploitation

High

Examples

Consider a web application that has restricted directories or files (e.g. a file containing application usernames: appusers.txt). An attacker can encode the character sequence “../” (Path Traversal Attack) using Unicode format and attempt to access the protected resource, as follows:

Original Path Traversal attack URL (without Unicode Encoding):

http://vulneapplication/../../appusers.txt

Path Traversal attack URL with Unicode Encoding:

http://vulneapplication/%C0AE/%C0AE%C0AF%C0AE%C0AE%C0AFappusers.txt

The Unicode encoding for the URL above will produce the same result as the first URL (Path Traversal Attack). However, if the application has certain input security filter mechanism, it could refuse any request containing “../” sequence, thus blocking the attack. However, if this mechanism doesn’t consider character encoding, the attacker can bypass and access protected resource.

Other consequences of this type of attack are privilege escalation, arbitrary code execution, data modification and denial of service.

External References

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2000-0884 - CVE-2000-0884

http://capec.mitre.org/data/definitions/71.html - Using Unicode Encoding to Bypass Validation Logic

http://www.microsoft.com/technet/security/bulletin/MS00-078.mspx - Patch Available for 'Web Server Folder Traversal' Vulnerability

http://www.kb.cert.org/vuls/id/739224 - HTTP content scanning systems full-width/half-width Unicode encoding bypass

http://scissec.scis.ecu.edu.au/conferences2007/documents/cheong_kai_wai_1.pdf - Penetration testing of cross site scripting and SQL injection on web application by Cheong Kai Wee

http://www.cgisecurity.com/lib/URLEmbeddedAttacks.html - URL encoded attacks, by Gunter Ollmann

Related Threats

Category:Command Execution

Category:Information Disclosure

Related Attacks

Related Vulnerabilities

Category:Input Validation

Related Countermeasures

Category:Input Validation