Difference between revisions of "Unicode Encoding"

From OWASP
Jump to: navigation, search
(Related Vulnerabilities)
Line 2: Line 2:
 
<br>
 
<br>
 
[[Category:OWASP ASDR Project]]
 
[[Category:OWASP ASDR Project]]
[[ASDR Table of Contents]]__TOC__
+
[[ASDR Table of Contents]]
  
  
 
==Description==
 
==Description==
 
 
The attack aims to explore flaws in the decoding mechanism implemented on applications when decoding Unicode data format. An attacker can use this technique to encode certain characters in the URL to bypass application filters, thus accessing restricted resources on the Web server or to force browsing to protected pages.
 
The attack aims to explore flaws in the decoding mechanism implemented on applications when decoding Unicode data format. An attacker can use this technique to encode certain characters in the URL to bypass application filters, thus accessing restricted resources on the Web server or to force browsing to protected pages.
 
==Risk Factors==
 
 
High
 
Likelihood of exploitation
 
 
High
 
  
 
==Examples ==
 
==Examples ==
 
 
Consider a web application which has restricted directories or files (e.g. a file containing application usernames: appusers.txt). An attacker can encode the character sequence “../” ([[Path Traversal]] Attack) using Unicode format and attempt to access the protected resource, as follows:
 
Consider a web application which has restricted directories or files (e.g. a file containing application usernames: appusers.txt). An attacker can encode the character sequence “../” ([[Path Traversal]] Attack) using Unicode format and attempt to access the protected resource, as follows:
  

Revision as of 20:13, 16 February 2009

This is an Attack. To view all attacks, please see the Attack Category page.



ASDR Table of Contents


Description

The attack aims to explore flaws in the decoding mechanism implemented on applications when decoding Unicode data format. An attacker can use this technique to encode certain characters in the URL to bypass application filters, thus accessing restricted resources on the Web server or to force browsing to protected pages.

Examples

Consider a web application which has restricted directories or files (e.g. a file containing application usernames: appusers.txt). An attacker can encode the character sequence “../” (Path Traversal Attack) using Unicode format and attempt to access the protected resource, as follows:

Original Path Traversal attack URL (without Unicode Encoding):

http://vulneapplication/../../appusers.txt

Path Traversal attack URL with Unicode Encoding:

http://vulneapplication/%C0AE%C0AE%C0AF%C0AE%C0AE%C0AFappusers.txt

The Unicode encoding for the URL above will produce the same result as the first URL (Path Traversal Attack). However, if the application has certain input security filter mechanism, it could refuse any request containing “../” sequence, thus blocking the attack. However, if this mechanism doesn’t consider character encoding, the attacker can bypass and access protected resource.

Other consequences of this type of attack are privilege escalation, arbitrary code execution, data modification, and denial of service.

Related Threat Agents

Related Attacks

Related Vulnerabilities

Related Controls

References