Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email email@example.com
From: David Wong (david.wongfoundstone.com)
Date: Tue Dec 04 2001 - 10:22:34 CST
I was looking through the Attack Components list for Input Validation and it
appears to me that there is a class of attacks not fully addressed. The
Unicode Strings and URL encoded strings belong in a class of bug that
Michael Howard terms "Canonicalization" bugs in his book "Writing Secure
Code". There is an entire chapter about Canonical representation issues in
the book, but I'll try to briefly describe it here for the list.
The web application makes security decisions based on a string (a URL, an
HTTP Header, a Cookie value), and if there the string can be represented in
another, non-canonical , form, the application can make an incorrect
decision. Let's use the two examples above.
- Unicode representation, this is classic.
canonical form of this URL and the one that is executed by IIS is
http://www.victim.com/winnt/system32/cmd.exe?c+dir. So, an incorrect
decision was made that cmd.exe was in the /scripts directory and hence
executable and it also bypassed the parent paths check.
- URL encoded input, a contrived example here is that you could access a
secure directory by encoding part of the string, such as
http://www.victim.com/%73ecure which would have the canonical form
My point is, there are many MORE examples of similar type of problems that
are not part of the Attack Components. Does it make sense to individually
list these in the Input Validation section, or create another subsection,
possibly canonicalization attacks. The way it is grouped isn't that
important, but if look at the problem as Canonical representation bugs, we
can work to identify all the problems that fall under this category. Here's
a list of some similar bugs off the top of my head.
- UCS-2 Unicode encoding
- UTF-8 encoding
- Double encoding
- ANY type of encoding the app/OS understands. For example, foreign
- Dotless IP http://3232286052/ is really http://192.168.197.100
- FAT32 filesystem names SECRET~1.TXT can be SECRETFILE.TXT
- Relative file names vs. Absolute filenames
- UNC file names
- \\?\ format in Windows
BTW, All credit goes to Michael Howard for the canonicalization
classification and his new book is excellent. Most of the bugs are above are
described in the book.