CAPEC-72
Alerte pour un CAPEC
Stay informed of any changes for a specific CAPEC.
Descriptions CAPEC
This attack targets the encoding of the URL. An adversary can take advantage of the multiple way of encoding an URL and abuse the interpretation of the URL.
Informations CAPEC
Execution Flow
1) Explore
[Survey web application for URLs with parameters] Using a browser, an automated tool or by inspecting the application, an adversary records all URLs that contain parameters.
Technique
- Use a spidering tool to follow and record all links and analyze the web pages to find entry points. Make special note of any links that include parameters in the URL.
2) Experiment
[Probe URLs to locate vulnerabilities] The adversary uses the URLs gathered in the "Explore" phase as a target list and tests parameters with different encodings of special characters to see how the web application will handle them.
Technique
- Use URL encodings of special characters such as semi-colons, backslashes, or question marks that might be filtered out normally.
- Combine the use of URL encodings with other encoding techniques such as the triple dot and escape slashes.
3) Exploit
[Inject special characters into URL parameters] Using the information gathered in the "Experiment" phase, the adversary injects special characters into the URL using URL encoding. This can lead to path traversal, cross-site scripting, SQL injection, etc.
Prerequisites
The application should accepts and decodes URL input.The application performs insufficient filtering/canonicalization on the URLs.
Skills Required
An adversary can try special characters in the URL and bypass the URL validation.The adversary may write a script to defeat the input filtering mechanism.
Mitigations
Refer to the RFCs to safely decode URL.Regular expression can be used to match safe URL patterns. However, that may discard valid URL requests if the regular expression is too restrictive.
There are tools to scan HTTP requests to the server for valid URL such as URLScan from Microsoft (http://www.microsoft.com/technet/security/tools/urlscan.mspx).
Any security checks should occur after the data has been decoded and validated as correct data format. Do not repeat decoding process, if bad character are left after decoding process, treat the data as suspicious, and fail the validation process.
Assume all input is malicious. Create an allowlist that defines all valid input to the software system based on the requirements specifications. Input that does not match against the allowlist should not be permitted to enter into the system. Test your decoding process against malicious input.
Be aware of the threat of alternative method of data encoding and obfuscation technique such as IP address encoding. (See related guideline section)
When client input is required from web-based forms, avoid using the "GET" method to submit data, as the method causes the form data to be appended to the URL and is easily manipulated. Instead, use the "POST method whenever possible.
Related Weaknesses
| Weakness Name | |
|---|---|
CWE-173 |
Improper Handling of Alternate Encoding The product does not properly handle when an input uses an alternate encoding that is valid for the control sphere to which the input is being sent. |
CWE-177 |
Improper Handling of URL Encoding (Hex Encoding) The product does not properly handle when all or part of an input has been URL encoded. |
CWE-172 |
Encoding Error The product does not properly encode or decode the data, resulting in unexpected values. |
CWE-73 |
External Control of File Name or Path The product allows user input to control or influence paths or file names that are used in filesystem operations. |
CWE-74 |
Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection') The product constructs all or part of a command, data structure, or record using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify how it is parsed or interpreted when it is sent to a downstream component. |
CWE-20 |
Improper Input Validation The product receives input or data, but it does not validate or incorrectly validates that the input has the properties that are required to process the data safely and correctly. |
References
REF-1
Exploiting Software: How to Break CodeG. Hoglund, G. McGraw.
REF-495
URL Encoded Attacks - Attacks using the common web browserGunter Ollmann.
http://www.cgisecurity.com/lib/URLEmbeddedAttacks.html
REF-496
RFC 3986 - Uniform Resource Identifier (URI): Generic SyntaxT. Berners-Lee, R. Fielding, L. Masinter.
http://www.ietf.org/rfc/rfc3986.txt
REF-497
RFC 1738 - Uniform Resource Locators (URL)T. Berners-Lee, L. Masinter, M. McCahill.
http://www.ietf.org/rfc/rfc1738.txt
REF-498
HTML URL Encoding Referencehttp://www.w3schools.com/tags/ref_urlencode.asp
REF-499
The URLEncode and URLDecode Pagehttp://www.albionresearch.com/misc/urlencode.php
REF-500
Secure Programming for Linux and Unix HOWTODavid Wheeler.
http://www.dwheeler.com/secure-programs/Secure-Programs-HOWTO/filter-html.html#VALIDATING-URIS
Submission
| Name | Organization | Date | Date release |
|---|---|---|---|
| CAPEC Content Team | The MITRE Corporation |
Modifications
| Name | Organization | Date | Comment |
|---|---|---|---|
| CAPEC Content Team | The MITRE Corporation | Updated Related_Attack_Patterns | |
| CAPEC Content Team | The MITRE Corporation | Updated References | |
| CAPEC Content Team | The MITRE Corporation | Updated Example_Instances, Indicators, Mitigations | |
| CAPEC Content Team | The MITRE Corporation | Updated Related_Weaknesses | |
| CAPEC Content Team | The MITRE Corporation | Updated Description, Example_Instances, Execution_Flow, Extended_Description, Skills_Required | |
| CAPEC Content Team | The MITRE Corporation | Updated Example_Instances |
2025©
tesweb SA
