CAPEC-71: Using Unicode Encoding to Bypass Validation Logic

Description
An attacker may provide a Unicode string to a system component that is not Unicode aware and use that to circumvent the filter or cause the classifying mechanism to fail to properly understanding the request. That may allow the attacker to slip malicious data past the content filter and/or possibly cause the application to route the request incorrectly.
Extended Description

Chip designers often include design elements in a chip for debugging and troubleshooting such as:

  • Various Test Access Ports (TAPs) which allow boundary scan commands to be executed.
  • Scan cells that allow the chip to be used as a "stimulus and response" mechanism for scanning the internal components of a chip.
  • Custom methods to observe the internal components of their chips by placing various tracing hubs within their chip and creating hierarchical or interconnected structures among those hubs.

    • Because devices commonly have multiple chips and debug components, designers will connect debug components and expose them through a single external interface, which is referred to as “chaining”. Logic errors during design or synthesis could misconfigure the chaining of the debug components, which could allow unintended access. TAPs are also commonly referred to as JTAG interfaces.

Severity :

High

Possibility :

Medium

Type :

Detailed
Relationships with other CAPECs

This table shows the other attack patterns and high level categories that are related to this attack pattern.

CAPEC-80: Using UTF-8 Encoding to Bypass Validation Logic Using UTF-8 Encoding to Bypass Validation Logic CAPEC-267: Leverage Alternate Encoding Leverage Alternate Encoding
Prerequisites

This table shows the other attack patterns and high level categories that are related to this attack pattern.

  • Filtering is performed on data that has not be properly canonicalized.
Skills required

This table shows the other attack patterns and high level categories that are related to this attack pattern.

  • Medium An attacker needs to understand Unicode encodings and have an idea (or be able to find out) what system components may not be Unicode aware.
Taxonomy mappings

Mappings to ATT&CK, OWASP and other frameworks.

OWASP Attacks | Unicode Encoding
Related CWE

A Related Weakness relationship associates a weakness with this attack pattern. Each association implies a weakness that must exist for a given attack to be successful.

CWE-20: Improper Input Validation

CWE-74: Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')

CWE-172: Encoding Error

CWE-173: Improper Handling of Alternate Encoding

CWE-176: Improper Handling of Unicode Encoding

CWE-179: Incorrect Behavior Order: Early Validation

CWE-180: Incorrect Behavior Order: Validate Before Canonicalize

CWE-183: Permissive List of Allowed Inputs

CWE-184: Incomplete List of Disallowed Inputs

CWE-692: Incomplete Denylist to Cross-Site Scripting

CWE-697: Incorrect Comparison

Visit http://capec.mitre.org/ for more details.