CAPEC-267: Leverage Alternate Encoding

Description

An adversary leverages the possibility to encode potentially harmful input or content used by applications such that the applications are ineffective at validating this encoding standard.

Extended Description

Many client applications use specific query templates when interacting with a server and often automatically fill in specific fields or attributes. If the server does not verify that the query matches one of the expected templates, an adversary who is allowed to send normal queries could modify their query to try to return additional information. The adversary may not know the names of fields to request or how other modifications will affect the server response, but by attempting multiple plausible variants, they might eventually trigger a server response that divulges sensitive information. Other possible outcomes include server crashes and resource consumption if the unexpected queries cause the server to enter an unstable state or perform excessive computation.

Severity :

High

Possibility :

High

Type :

Standard

Relationships with other CAPECs

This table shows the other attack patterns and high level categories that are related to this attack pattern.

CAPEC-3: Using Leading 'Ghost' Character Sequences to Bypass Input Filters Using Leading 'Ghost' Character Sequences to Bypass Input Filters CAPEC-4: Using Alternative IP Address Encodings Using Alternative IP Address Encodings CAPEC-43: Exploiting Multiple Input Interpretation Layers Exploiting Multiple Input Interpretation Layers CAPEC-52: Embedding NULL Bytes Embedding NULL Bytes CAPEC-53: Postfix, Null Terminate, and Backslash Postfix, Null Terminate, and Backslash CAPEC-64: Using Slashes and URL Encoding Combined to Bypass Validation Logic Using Slashes and URL Encoding Combined to Bypass Validation Logic CAPEC-71: Using Unicode Encoding to Bypass Validation Logic Using Unicode Encoding to Bypass Validation Logic CAPEC-72: URL Encoding URL Encoding CAPEC-78: Using Escaped Slashes in Alternate Encoding Using Escaped Slashes in Alternate Encoding CAPEC-79: Using Slashes in Alternate Encoding Using Slashes in Alternate Encoding CAPEC-80: Using UTF-8 Encoding to Bypass Validation Logic Using UTF-8 Encoding to Bypass Validation Logic CAPEC-120: Double Encoding Double Encoding CAPEC-153: Input Data Manipulation Input Data Manipulation

Prerequisites

This table shows the other attack patterns and high level categories that are related to this attack pattern.

The application's decoder accepts and interprets encoded characters. Data canonicalization, input filtering and validating is not done properly leaving the door open to harmful characters for the target host.

Skills required

This table shows the other attack patterns and high level categories that are related to this attack pattern.

Low An adversary can inject different representation of a filtered character in a different encoding.
Medium An adversary may craft subtle encoding of input data by using the knowledge that they have gathered about the target host.

Taxonomy mappings

Mappings to ATT&CK, OWASP and other frameworks.

ATTACK | Obfuscated Files or Information

Related CWE

A Related Weakness relationship associates a weakness with this attack pattern. Each association implies a weakness that must exist for a given attack to be successful.

CWE-20: Improper Input Validation

CWE-73: External Control of File Name or Path

CWE-74: Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')

CWE-172: Encoding Error

CWE-173: Improper Handling of Alternate Encoding

CWE-180: Incorrect Behavior Order: Validate Before Canonicalize

CWE-181: Incorrect Behavior Order: Validate Before Filter

CWE-692: Incomplete Denylist to Cross-Site Scripting

CWE-697: Incorrect Comparison

Visit http://capec.mitre.org/ for more details.