CAPEC-64: Using Slashes and URL Encoding Combined to Bypass Validation Logic
This attack targets the encoding of the URL combined with the encoding of the slash characters. An attacker can take advantage of the multiple ways of encoding a URL and abuse the interpretation of the URL. A URL may contain special character that need special syntax handling in order to be interpreted. Special characters are represented using a percentage character followed by two digits representing the octet code of the original character (%HEX-CODE). For instance US-ASCII space character would be represented with %20. This is often referred as escaped ending or percent-encoding. Since the server decodes the URL from the requests, it may restrict the access to some URL paths by validating and filtering out the URL requests it received. An attacker will try to craft an URL with a sequence of special characters which once interpreted by the server will be equivalent to a forbidden URL. It can be difficult to protect against this attack since the URL can contain other format of encoding such as UTF-8 encoding, Unicode-encoding, etc.
Last updated
Overview
CAPEC-64 (Using Slashes and URL Encoding Combined to Bypass Validation Logic) is a detailed-level attack pattern catalogued by MITRE in the Common Attack Pattern Enumeration and Classification (CAPEC). It describes a recurring method attackers use to exploit software weaknesses.
How the attack works
The phases an attacker typically follows to carry out this attack.
- Step 1Explore
The attacker accesses the server using a specific URL.
- Step 2Experiment
The attacker tries to encode some special characters in the URL. The attacker find out that some characters are not filtered properly.
- Step 3Exploit
The attacker crafts a malicious URL string request and sends it to the server.
- Step 4Exploit
The server decodes and interprets the URL string. Unfortunately since the input filtering is not done properly, the special characters have harmful consequences.
What the attacker needs
Prerequisites
- The application accepts and decodes URL string request.
- The application performs insufficient filtering/canonicalization on the URLs.
Skills required
- Low skill: An attacker can try special characters in the URL and bypass the URL validation.
- Medium skill: The attacker may write a script to defeat the input filtering mechanism.
Consequences
What a successful CAPEC-64 attack can achieve.
Resource Consumption
Affects: Availability
Denial of Service
Execute Unauthorized Commands
Affects: Confidentiality, Integrity, Availability
Run Arbitrary Code
Read Data
Affects: Confidentiality
Gain Privileges
Affects: Confidentiality, Access Control, Authorization
How to mitigate it
Defenses that reduce the risk of CAPEC-64.
- Assume all input is malicious. Create an allowlist that defines all valid input to the software system based on the requirements specifications. Input that does not match against the allowlist should not be permitted to enter into the system. Test your decoding process against malicious input.
- Be aware of the threat of alternative method of data encoding and obfuscation technique such as IP address encoding.
- When client input is required from web-based forms, avoid using the "GET" method to submit data, as the method causes the form data to be appended to the URL and is easily manipulated. Instead, use the "POST method whenever possible.
- Any security checks should occur after the data has been decoded and validated as correct data format. Do not repeat decoding process, if bad character are left after decoding process, treat the data as suspicious, and fail the validation process.
- Refer to the RFCs to safely decode URL.
- Regular expression can be used to match safe URL patterns. However, that may discard valid URL requests if the regular expression is too restrictive.
- There are tools to scan HTTP requests to the server for valid URL such as URLScan from Microsoft (http://www.microsoft.com/technet/security/tools/urlscan.mspx).
How to detect it
Indicators that this attack may be underway.
- If the first decoding process has left some invalid or denylisted characters, that may be a sign that the request is malicious.
- Traffic filtering with IDS (or proxy) can detect requests with suspicious URLs. IDS may use signature based identification to reveal such URL based attacks.
Examples
Attack Example: Combined Encodings CesarFTP Alexandre Cesari released a freeware FTP server for Windows that fails to provide proper filtering against multiple encoding. The FTP server, CesarFTP, included a Web server component that could be attacked with a combination of the triple-dot and URL encoding attacks. An attacker could provide a URL that included a string like /...%5C/ This is an interesting exploit because it involves an aggregation of several tricks: the escape character, URL encoding, and the triple dot. See also: CVE-2001-1335
Frequently asked questions
Common questions about CAPEC-64.
- What is CAPEC-64?
- This attack targets the encoding of the URL combined with the encoding of the slash characters. An attacker can take advantage of the multiple ways of encoding a URL and abuse the interpretation of the URL. A URL may contain special character that need special syntax handling in order to be interpreted. Special characters are represented using a percentage character followed by two digits representing the octet code of the original character (%HEX-CODE). For instance US-ASCII space character would be represented with %20. This is often referred as escaped ending or percent-encoding. Since the server decodes the URL from the requests, it may restrict the access to some URL paths by validating and filtering out the URL requests it received. An attacker will try to craft an URL with a sequence of special characters which once interpreted by the server will be equivalent to a forbidden URL. It can be difficult to protect against this attack since the URL can contain other format of encoding such as UTF-8 encoding, Unicode-encoding, etc.
- How does a Using Slashes and URL Encoding Combined to Bypass Validation Logic attack work?
- It typically unfolds over 4 phases. It begins with: The attacker accesses the server using a specific URL.
- How do you prevent CAPEC-64?
- Assume all input is malicious. Create an allowlist that defines all valid input to the software system based on the requirements specifications. Input that does not match against the allowlist should not be permitted to enter into the system. Test your decoding process against malicious input.
- What weaknesses does CAPEC-64 target?
- CAPEC-64 exploits 9 CWE weaknesses, including CWE-20 (Improper Input Validation), CWE-22 (Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')), CWE-73 (External Control of File Name or Path), CWE-74 (Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')).
- How severe is CAPEC-64?
- MITRE rates CAPEC-64 as High severity with high likelihood of attack.
References
Attack-pattern data is sourced from the MITRE CAPEC catalog (v3.9). Weakness associations link to the corresponding CWE entries on RadicalNotion.AI.
Defend against CAPEC-64
Track the CVEs and weaknesses attackers exploit with this technique, with AI-written analysis and remediation guidance.