CAPEC-71: Using Unicode Encoding to Bypass Validation Logic
CAPEC版本: 3.9
更新日期: 2023-01-24
攻击模式描述
An attacker may provide a Unicode string to a system component that is not Unicode aware and use that to circumvent the filter or cause the classifying mechanism to fail to properly understanding the request. That may allow the attacker to slip malicious data past the content filter and/or possibly cause the application to route the request incorrectly.
执行流程
步骤 1 Explore
[Survey the application for user-controllable inputs] Using a browser or an automated tool, an attacker follows all public links and actions on a web site. They record all the links, the forms, the resources accessed and all other potential entry-points for the web application.
- Use a spidering tool to follow and record all links and analyze the web pages to find entry points. Make special note of any links that include parameters in the URL.
- Use a proxy tool to record all user input entry points visited during a manual traversal of the web application.
- Use a browser to manually explore the website and analyze how it is constructed. Many browsers' plugins are available to facilitate the analysis or automate the discovery.
步骤 2 Experiment
[Probe entry points to locate vulnerabilities] The attacker uses the entry points gathered in the "Explore" phase as a target list and injects various Unicode encoded payloads to determine if an entry point actually represents a vulnerability with insufficient validation logic and to characterize the extent to which the vulnerability can be exploited.
- Try to use Unicode encoding of content in Scripts in order to bypass validation routines.
- Try to use Unicode encoding of content in HTML in order to bypass validation routines.
- Try to use Unicode encoding of content in CSS in order to bypass validation routines.
前提条件
- Filtering is performed on data that has not be properly canonicalized.
所需技能
后果影响
影响范围: Confidentiality Access Control Authorization
技术影响: Bypass Protection Mechanism
影响范围: Confidentiality Integrity Availability
技术影响: Execute Unauthorized Commands
说明: Run Arbitrary Code
影响范围: Integrity
技术影响: Modify Data
影响范围: Availability
技术影响: Unreliable Execution
缓解措施
Ensure that the system is Unicode aware and can properly process Unicode data. Do not make an assumption that data will be in ASCII.
Ensure that filtering or input validation is applied to canonical data.
Assume all input is malicious. Create an allowlist that defines all valid input to the software system based on the requirements specifications. Input that does not match against the allowlist should not be permitted to enter into the system.
示例实例
See also: CVE-2000-0884
分类映射
| 分类名称 | 条目ID | 条目名称 |
|---|---|---|
| OWASP Attacks | - | Unicode Encoding |