Detailed attack pattern

Draft

CAPEC-64: Using Slashes and URL Encoding Combined to Bypass Validation Logic

This attack targets the encoding of the URL combined with the encoding of the slash characters. An attacker can take advantage of the multiple ways of encoding a URL and abuse the interpretation of the URL. A URL may contain special character that need special syntax handling in order to be interpreted. Special characters are represented using a percentage character followed by two digits representing the octet code of the original character (%HEX-CODE). For instance US-ASCII space character would be represented with %20. This is often referred as escaped ending or percent-encoding. Since the server decodes the URL from the requests, it may restrict the access to some URL paths by validating and filtering out the URL requests it received. An attacker will try to craft an URL with a sequence of special characters which once interpreted by the server will be equivalent to a forbidden URL. It can be difficult to protect against this attack since the URL can contain other format of encoding such as UTF-8 encoding, Unicode-encoding, etc.

High

Typical severity

Per MITRE

High

Likelihood of attack

Per MITRE

Related weaknesses

CWEs this targets

Detailed

Frequently asked questions

Common questions about CAPEC-64.

What is CAPEC-64?

How does a Using Slashes and URL Encoding Combined to Bypass Validation Logic attack work?

It typically unfolds over 4 phases. It begins with: The attacker accesses the server using a specific URL.

How do you prevent CAPEC-64?

Assume all input is malicious. Create an allowlist that defines all valid input to the software system based on the requirements specifications. Input that does not match against the allowlist should not be permitted to enter into the system. Test your decoding process against malicious input.

What weaknesses does CAPEC-64 target?

CAPEC-64 exploits 9 CWE weaknesses, including CWE-20 (Improper Input Validation), CWE-22 (Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')), CWE-73 (External Control of File Name or Path), CWE-74 (Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')).

How severe is CAPEC-64?

MITRE rates CAPEC-64 as High severity with high likelihood of attack.

CAPEC-64: Using Slashes and URL Encoding Combined to Bypass Validation Logic

Overview

How the attack works

What the attacker needs

Prerequisites

Skills required

Consequences

How to mitigate it

How to detect it

Examples

Frequently asked questions

What is CAPEC-64?

How does a Using Slashes and URL Encoding Combined to Bypass Validation Logic attack work?

How do you prevent CAPEC-64?

What weaknesses does CAPEC-64 target?

How severe is CAPEC-64?

References

Defend against CAPEC-64

Overview

How the attack works

What the attacker needs

Prerequisites

Skills required

Consequences

How to mitigate it

How to detect it

Examples

Related weaknesses

Related attack patterns

Parent

Peer

Frequently asked questions

What is CAPEC-64?

How does a Using Slashes and URL Encoding Combined to Bypass Validation Logic attack work?

How do you prevent CAPEC-64?

What weaknesses does CAPEC-64 target?

How severe is CAPEC-64?

References

Defend against CAPEC-64