当前位置:七道奇文章资讯安全技术网络技术
日期:2011-06-29 12:09:00  来源:本站整理

Double Encoding 绕过web防火墙WAF[网络技术]

赞助商链接



  本文“Double Encoding 绕过web防火墙WAF[网络技术]”是由七道奇为您精心收集,来源于网络转载,文章版权归文章作者所有,本站不对其观点以及内容做任何评价,请读者自行判断,以下是其具体内容:

Description
----------------------------------------------------
This attack technique consists of encoding user request parameters twice in hexadecimal format in order to bypass security controls or cause unexpected behavior from the application. It's possible because the webserver accepts and processes client requests in many encoded forms.

By using double encoding it’s possible to bypass security filters that only decode user input once. The second decoding process is executed by the backend platform or modules that properly handle encoded data, but don't have the corresponding security checks in place.

Attackers can inject double encoding in pathnames or query strings to bypass the authentication schema and security filters in use by the web application.

There are some common characters sets that are used in Web applications attacks. For example, Path Traversal attacks use “../” (dot-dot-slash) , while XSS attacks use “<” and “>” characters. These characters give a hexadecimal representation that differs from normal data.

For example, “../” (dot-dot-slash) characters represent %2E%2E%2f in hexadecimal representation. When the % symbol is encoded again, its representation in hexadecimal code is %25. The result from the double encoding process ”../”(dot-dot-slash) would be %252E%252E%252F:

The hexadecimal encoding of “../” represents "%2E%2E%2f"
Then encoding the “%” represents "%25"
Double encoding of “../” represents "%252E%252E%252F"

Risk Factors
----------------------------------------------------
TBD

Examples
----------------------------------------------------
Example 1
This example presents an old well-known vulnerability found in IIS versions 4.0 and 5.0, where an attacker could bypass an authorization schema and gain access to any file on the same drive as the web root directory due to an issue with the decoding mechanism. For more details about folder traversal vulnerability, see CVE 2001-0333.

In this scenario, the victim has a published executable directory (e.g. cgi) that’s stored on the same partition as the Windows system folder. An attacker could execute arbitrary commands on the web server by submitting the following URL:

Original URL:
http://victim/cgi/../../winnt/system32/cmd.exe?/c+dir+c:\
However, the application uses a security check filter that refuses requests containing characters like “../”. By double encoding the URL, it’s possible to bypass security the filter:

Double encoded URL:
http://victim/cgi/%252E%252E%252F%252E%252E%252Fwinnt/system32/cmd.exe?/c+dir+c:\


Example 2
A double encoded URL can be used to perform an XSS attack in order to bypass a built-in XSS detection module. Depending on the implementation, the first decoding process is performed by HTTP protocol and the resultant encoded URL will bypass the XSS filter, since it has no mechanisms to improve detection. A simple example XSS would be:
<script>alert('XSS')</script>
This malicious code could be inserted into a vulnerable application, resulting in an alert window with the message “XSS”. However, the web application can have a character filter which prohibits characters such as “< “, “>” and “/”, since they are used to perform web application attacks. The attacker could use a double encoding technique to bypass the filter and exploit the client’s session. The encoding process for this Java script is:

Char   Hex encode   Then encoding '%'   Double encode
“<”       “%3C”             “%25”                  “%253C”
“/”        “%2F”             “%25”                  “%252F”
“>”       “%3E”             “%25”                   “%253E”
Finally, the malicious double encoding code is:
%253Cscript%253Ealert('XSS')%253C%252Fscript%253E


from :https://www.owasp.org/index.php/Double_Encoding


  以上是“Double Encoding 绕过web防火墙WAF[网络技术]”的内容,如果你对以上该文章内容感兴趣,你可以看看七道奇为您推荐以下文章:
  • Double Encoding 绕过web防火墙WAF
  • 诊断Java代码: Double Descent错误情势
  • Vdsp(bf561)中的浮点运算(9):long double和float的对比
  • 本文地址: 与您的QQ/BBS好友分享!
    • 好的评价 如果您觉得此文章好,就请您
        0%(0)
    • 差的评价 如果您觉得此文章差,就请您
        0%(0)

    文章评论评论内容只代表网友观点,与本站立场无关!

       评论摘要(共 0 条,得分 0 分,平均 0 分) 查看完整评论
    Copyright © 2020-2022 www.xiamiku.com. All Rights Reserved .