HOME

TheInfoList



Click Here for Items Related To - Double Encoding
OR:
Double Encoding on:   [Wikipedia]   [Google]   [Amazon]

Double encoding is the act of encoding data twice in a row using the same encoding scheme. It is usually used as an attack technique to bypass
authorization Authorization or authorisation (see spelling differences) is the function of specifying access rights/privileges to resources, which is related to general information security and computer security, and to access control in particular. More for ...
schemes or security filters that intercept user input. In double encoding attacks against security filters, characters of the payload that are treated as illegal by those filters are replaced with their double-encoded form. Double URI-encoding is a special type of double encoding in which data is URI-encoded twice in a row. It has been used to bypass authorization schemes and security filters against
code injection Code injection is the exploitation of a computer bug that is caused by processing invalid data. The injection is used by an attacker to introduce (or "inject") code into a vulnerable computer program and change the course of execution. The res ...
,
directory traversal A directory traversal (or path traversal) attack exploits insufficient security validation or sanitization of user-supplied file names, such that characters representing "traverse to parent directory" are passed through to the operating system's f ...
,
cross-site scripting Cross-site scripting (XSS) is a type of security vulnerability that can be found in some web applications. XSS attacks enable attackers to inject client-side scripts into web pages viewed by other users. A cross-site scripting vulnerability may ...
(XSS) and
SQL injection In computing, SQL injection is a code injection technique used to attack data-driven applications, in which malicious SQL statements are inserted into an entry field for execution (e.g. to dump the database contents to the attacker). SQL inj ...
.


Description

In double encoding, data is encoded twice in a row using the same encoding scheme, that is, double-encoded form of data X is Encode(Encode(X)) where Encode is an encoding function. Double encoding is usually used as an attack technique to bypass authorization schemes or security filters that intercept user input. In double encoding attacks against security filters, characters of the payload that are treated as illegal by those filters are replaced with their double-encoded form. Security filters might treat data X and its encoded form as illegal. However, it is still possible for Encode(Encode(X)), which is the double-encoded form of data X, to not to be treated as illegal by security filters and hence pass through them, but later on, the target system might use the double-decoded form of Encode(Encode(X)), which is X, something that the filters would have been treated as illegal.


Double URI-encoding

Double URI-encoding, also referred to as double percent-encoding, is a special type of double encoding in which data is URI-encoded twice in a row. In other words, double-URI-encoded form of data X is URI-encode(URI-encode(X)). For example for calculating double-URI-encoded form of <, first < is URI-encoded as %3C which then in turn is URI-encoded as %253C, that is, double-URI-encode(<) = URI-encode(URI-encode(<)) = URI-encode(%3C) = %253C. As another example, for calculating double-URI-encoded form of ../, first ../ is URI-encoded as %2E%2E%2F which then in turn is URI-encoded as %252E%252E%252F, that is, double-URI-encode(../) = URI-encode(URI-encode(../)) = URI-encode(%2E%2E%2F) = %252E%252E%252F. Double URI-encoding is usually used as an attack technique against web applications and web browsers to bypass authorization schemes and security filters that intercept user input. For example because . and its URI-encoded form %2E are used in some directory traversal attacks, they are usually treated as illegal by security filters. However, it is still possible for %252E, which is the double-URI-encoded form of ., to not to be treated as illegal by security filters and hence pass through them, but later on, when the target system is building the path related to the directory traversal attack it might use the double-URI-decoded form of %252E, which is ., something that the filters would have been treated as illegal. Double URI-encoding attacks have been used to bypass authorization schemes and security filters against code injection, directory traversal, XSS and SQL injection.


Prevention

Decoding some user input twice using the same decoding scheme, once before a security measure and once afterwards, may allow double encoding attacks to bypass that security measure. Thus, to prevent double encoding attacks, all decoding operations on user input should occur before authorization schemes and security filters that intercept user input.


Examples


PHP

In PHP programming language, data items in $_GET and $_REQUEST are sufficiently URI-decoded and thus programmers should avoid calling the urldecode function on them.. "Warning: The superglobals $_GET and $_REQUEST are already decoded. Using urldecode() on an element in $_GET or $_REQUEST could have unexpected and dangerous results." Calling the urldecode function on data that has been read from $_GET or $_REQUEST causes the data to be URI-decoded once more than it should and hence may open possibility for double URI-encoding attacks.


Directory traversal

In the following PHP program, the value of $_GET file"/code> is used to build the path of the file to be sent to the user. This opens the possibility for directory traversal attacks that incorporate their payload into the
HTTP The Hypertext Transfer Protocol (HTTP) is an application layer protocol in the Internet protocol suite model for distributed, collaborative, hypermedia information systems. HTTP is the foundation of data communication for the World Wide Web, ...
GET parameter file. As a security filter against directory traversal attacks, this program searches the value it reads from $_GET file"/code> for directory traversal sequences and exits if it finds one. However, after this filter, the program URI-decodes the data that it has read from $_GET file"/code>, which makes it vulnerable to double URI-encoding attacks. file" /* Security filter */ /* Exit if user input contains directory traversal sequence */ if (strstr($path, "../") or strstr($path, "..\\")) /* URI-decode user input once again */ $path = urldecode($path); /* Build file path to be sent using user input */ echo htmlentities(file_get_contents("uploads/" . $path)); This filter prevents payloads such as ../../../../etc/passwd and its URI-encoded form %2E%2E%2F%2E%2E%2F%2E%2E%2F%2E%2E%2Fetc%2Fpasswd. However, %252E%252E%252F%252E%252E%252F%252E%252E%252F%252E%252E%252Fetc%252Fpasswd, which is the double-URI-encoded form of ../../../../etc/passwd, will bypass this filter. When double-URI-encoded payload %252E%252E%252F%252E%252E%252F%252E%252E%252F%252E%252E%252Fetc%252Fpasswd is used, the value of $_GET file"/code> will be %2E%2E%2F%2E%2E%2F%2E%2E%2F%2E%2E%2Fetc%2Fpasswd which doesn't contain any directory traversal sequence and thus passes through the filter and will be given to the urldecode function which returns ../../../../etc/passwd, resulting in a successful attack.


XSS

In the following PHP program, the value of $_GET name"/code> is used to build a message to be shown to the user. This opens the possibility for XSS attacks that incorporate their payload into the HTTP GET parameter name. As a security filter against XSS attacks, this program sanitizes the value it reads from $_GET name"/code> via the htmlentities function. However, after this filter, the program URI-decodes the data that it has read from $_GET name"/code>, which makes it vulnerable to double URI-encoding attacks. name" /* Security filter */ /* Sanitize user input via htmlentity */ $name = htmlentities($name); /* URI-decode user input once again */ $name = urldecode($name); /* Build message to be shown using user input */ echo "Hello " . $name; This filter prevents payloads such as and its URI-encoded form %3Cscript%3Ealert%281%29%3C%2Fscript%3E. However, %253Cscript%253Ealert%25281%2529%253C%252Fscript%253E, which is the double-URI-encoded form of , will bypass this filter. When double-URI-encoded payload %253Cscript%253Ealert%25281%2529%253C%252Fscript%253E is used, the value of $_GET name"/code> will be %3Cscript%3Ealert%281%29%3C%2Fscript%3E which doesn't contain any illegal character and thus passes through the htmlentities function without any change and will be given to the urldecode function which returns , resulting in a successful attack.


Sources

* * * * * * *


References

{{reflist


External links


OWASP entry for double encoding attacks




Web security exploits