Difference between revisions of "Double Encoding"

From OWASP
Jump to: navigation, search
(Related Vulnerabilities)
Line 21: Line 21:
  
 
==Related Vulnerabilities==
 
==Related Vulnerabilities==
[[Lack of Input Validation]]
+
[[:Category:Lack of Input Validation]]
  
 
==Related Countermeasures==
 
==Related Countermeasures==

Revision as of 11:31, 9 June 2006

This is an Attack. To view all attacks, please see the Attack Category page.


Description

Using double encoding to bypass security checks that only decoded user input once. The decoded user input will pass this security checks and then later be used in backend platforms or modules that understand the encoding but don't have the corresponding security checks in place.

Examples

  • Use double URL encoded XSS script to bypass a built-in XSS detection module. The first layer of the encodings will be decoded by the HTTP protocol and the resultant URL encoded script will be able to pass the built-in XSS detection module and gets into the application. If this script is returned to a victim user by the application later, the script is going to fire on the victim's browser.
  • CAN-2004-1938 - "%2527" (double-encoded single quote) used in SQL injection.
  • CVE-2001-0333 - Directory traversal using double encoding.

For more details, see PLOVER - Double Encoding

Related Threats

Attackers try to bypass some security checks.

Related Attacks

SQL Injection XSS Attacks

Related Vulnerabilities

Category:Lack of Input Validation

Related Countermeasures

Input Validation

Categories

This article is a stub. You can help OWASP by expanding it or discussing it on its Talk page.