CAPEC-71 Using Unicode Encoding to Bypass Validation Logic

CAPEC ID: 71

CAPEC-71 Metadata

Likelihood of Attack

Medium

Typical Severity

High

Overview

Summary

An attacker may provide a Unicode string to a system component that is not Unicode aware and use that to circumvent the filter or cause the classifying mechanism to fail to properly understanding the request. That may allow the attacker to slip malicious data past the content filter and/or possibly cause the application to route the request incorrectly.

Prerequisites

Filtering is performed on data that has not be properly canonicalized.

Execution Flow

Step Phase Description Techniques
1 Explore [Survey the application for user-controllable inputs] Using a browser or an automated tool, an attacker follows all public links and actions on a web site. They record all the links, the forms, the resources accessed and all other potential entry-points for the web application.
  • Use a spidering tool to follow and record all links and analyze the web pages to find entry points. Make special note of any links that include parameters in the URL.
  • Use a proxy tool to record all user input entry points visited during a manual traversal of the web application.
  • Use a browser to manually explore the website and analyze how it is constructed. Many browsers' plugins are available to facilitate the analysis or automate the discovery.
2 Experiment [Probe entry points to locate vulnerabilities] The attacker uses the entry points gathered in the "Explore" phase as a target list and injects various Unicode encoded payloads to determine if an entry point actually represents a vulnerability with insufficient validation logic and to characterize the extent to which the vulnerability can be exploited.
  • Try to use Unicode encoding of content in Scripts in order to bypass validation routines.
  • Try to use Unicode encoding of content in HTML in order to bypass validation routines.
  • Try to use Unicode encoding of content in CSS in order to bypass validation routines.

Potential Solutions / Mitigations

Ensure that the system is Unicode aware and can properly process Unicode data. Do not make an assumption that data will be in ASCII. Ensure that filtering or input validation is applied to canonical data. Assume all input is malicious. Create an allowlist that defines all valid input to the software system based on the requirements specifications. Input that does not match against the allowlist should not be permitted to enter into the system.

Related Weaknesses (CWE)

CWE ID Description
CWE-20 Improper Input Validation
CWE-74 Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')
CWE-172 Encoding Error
CWE-173 Improper Handling of Alternate Encoding
CWE-176 Improper Handling of Unicode Encoding
CWE-179 Incorrect Behavior Order: Early Validation
CWE-180 Incorrect Behavior Order: Validate Before Canonicalize
CWE-183 Permissive List of Allowed Inputs
CWE-184 Incomplete List of Disallowed Inputs
CWE-692 Incomplete Denylist to Cross-Site Scripting
CWE-697 Incorrect Comparison

Related CAPECs

CAPEC ID Description
CAPEC-267 An adversary leverages the possibility to encode potentially harmful input or content used by applications such that the applications are ineffective at validating this encoding standard.

Taxonomy Mappings

Taxonomy: OWASP Attacks

Entry ID Entry Name
Link Unicode Encoding

Stay Ahead of Attack Patterns

Understanding CAPEC patterns helps security professionals anticipate and thwart potential attacks. Leverage these insights to enhance threat modeling, strengthen your software development lifecycle, and train your security teams effectively.