Unicode Encoding | OWASP Foundation

Unicode Encoding | OWASP Foundation
Unicode Encoding
Thank you for visiting OWASP.org. We have migrated our community to a new web platform and regretably the content for this page needed to be programmatically ported from its previous wiki page. There’s still some work to be done.
This is an example of a Project or Chapter Page.
Description
The attack aims to explore flaws in the decoding mechanism implemented
on applications when decoding Unicode data format. An attacker can use
this technique to encode certain characters in the URL to bypass
application filters, thus accessing restricted resources on the Web
server or to force browsing to protected pages.
Examples
Consider a web application which has restricted directories or files
(e.g. a file containing application usernames: appusers.txt). An
attacker can encode the character sequence “../” (
Path
Traversal
Attack) using Unicode format and
attempt to access the protected resource, as follows:
Original Path Traversal attack URL (without Unicode Encoding):
Path Traversal attack URL with Unicode Encoding:
The Unicode encoding for the URL above will produce the same result as
the first URL (Path Traversal Attack). However, if the application has
an input security filter mechanism, it could refuse any request
containing “../” sequence, thus blocking the attack. However, if this
mechanism doesn’t consider character encoding, the attacker can bypass
and access protected resource.
Other consequences of this type of attack are privilege escalation,
arbitrary code execution, data modification, and denial of service.
Related
Threat Agents
:Category:Command
Execution
:Category:Information
Disclosure
Related
Attacks
Path Traversal
Embedding Null Code
Related
Vulnerabilities
:Category:Input Validation
Vulnerability
Related
Controls
:Category:Input Validation
References
CVE-2000-0884
- Using Unicode
Encoding to Bypass Validation Logic
Patch Available for ‘Web Server Folder Traversal’ Vulnerability
- HTTP content scanning
systems full-width/half-width Unicode encoding bypass
- URL
encoded attacks, by Gunter Ollmann
Penetration testing of cross site scripting and SQL injection on
web application by Cheong Kai Wee
Category:OWASP ASDR Project
Category:Resource
Manipulation
Category:Attack
Watch
Star
The OWASP
Foundation
works to improve the security of software through its community-led open source software projects,
hundreds of chapters worldwide, tens of thousands of members, and by hosting local and global conferences.
Important Community Links
Community
Attacks (You are here)
Vulnerabilities
Controls
Upcoming OWASP Global Events