CAPEC-267: Leverage Alternate Encoding

Description
An adversary leverages the possibility to encode potentially harmful input or content used by applications such that the applications are ineffective at validating this encoding standard.
Extended Description

Many client applications use specific query templates when interacting with a server and often automatically fill in specific fields or attributes. If the server does not verify that the query matches one of the expected templates, an adversary who is allowed to send normal queries could modify their query to try to return additional information. The adversary may not know the names of fields to request or how other modifications will affect the server response, but by attempting multiple plausible variants, they might eventually trigger a server response that divulges sensitive information. Other possible outcomes include server crashes and resource consumption if the unexpected queries cause the server to enter an unstable state or perform excessive computation.

Severity :

High

Possibility :

High

Type :

Standard
Prerequisites

This table shows the other attack patterns and high level categories that are related to this attack pattern.

  • The application's decoder accepts and interprets encoded characters. Data canonicalization, input filtering and validating is not done properly leaving the door open to harmful characters for the target host.
Skills required

This table shows the other attack patterns and high level categories that are related to this attack pattern.

  • Low An adversary can inject different representation of a filtered character in a different encoding.
  • Medium An adversary may craft subtle encoding of input data by using the knowledge that they have gathered about the target host.
Taxonomy mappings

Mappings to ATT&CK, OWASP and other frameworks.

Visit http://capec.mitre.org/ for more details.

© cvefeed.io
Latest DB Update: Dec. 20, 2024 11:05