CAPEC-120: Double Encoding

Description

The adversary utilizes a repeating of the encoding process for a set of characters (that is, character encoding a character encoding of a character) to obfuscate the payload of a particular request. This may allow the adversary to bypass filters that attempt to detect illegal characters or strings, such as those that might be used in traversal or injection attacks. Filters may be able to catch illegal encoded strings, but may not catch doubly encoded strings. For example, a dot (.), often used in path traversal attacks and therefore often blocked by filters, could be URL encoded as %2E. However, many filters recognize this encoding and would still block the request. In a double encoding, the % in the above URL encoding would be encoded again as %25, resulting in %252E which some filters might not catch, but which could still be interpreted as a dot (.) by interpreters on the target.

Extended Description

This is achieved by exploring the target via ordinary interactions for the purpose of gathering intelligence about the target, or by sending data that is syntactically invalid or non-standard in an attempt to produce a response that contains the desired data. As a result of these interactions, the adversary is able to obtain information from the target that aids the attacker in making inferences about its security, configuration, or potential vulnerabilities. Examplar exchanges with the target may trigger unhandled exceptions or verbose error messages that reveal information like stack traces, configuration information, path information, or database design. This type of attack also includes the manipulation of query strings in a URI to produce invalid SQL queries, or by trying alternative path values in the hope that the server will return useful information.

Severity :

Medium

Possibility :

Low

Type :

Detailed

Relationships with other CAPECs

This table shows the other attack patterns and high level categories that are related to this attack pattern.

CAPEC-267: Leverage Alternate Encoding Leverage Alternate Encoding

Prerequisites

This table shows the other attack patterns and high level categories that are related to this attack pattern.

The target's filters must fail to detect that a character has been doubly encoded but its interpreting engine must still be able to convert a doubly encoded character to an un-encoded character.
The application accepts and decodes URL string request.
The application performs insufficient filtering/canonicalization on the URLs.

Skills required

This table shows the other attack patterns and high level categories that are related to this attack pattern.

Taxonomy mappings

Mappings to ATT&CK, OWASP and other frameworks.

Resources required

Tools that automate encoding of data can assist the adversary in generating encoded strings.

Related CWE

A Related Weakness relationship associates a weakness with this attack pattern. Each association implies a weakness that must exist for a given attack to be successful.

CWE-20: Improper Input Validation

CWE-74: Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')

CWE-172: Encoding Error

CWE-173: Improper Handling of Alternate Encoding

CWE-177: Improper Handling of URL Encoding (Hex Encoding)

CWE-181: Incorrect Behavior Order: Validate Before Filter

CWE-183: Permissive List of Allowed Inputs

CWE-184: Incomplete List of Disallowed Inputs

CWE-692: Incomplete Denylist to Cross-Site Scripting

CWE-697: Incorrect Comparison

Visit http://capec.mitre.org/ for more details.