|Name ||Using Leading 'Ghost' Character Sequences to Bypass Input Filters |
|Summary ||An attacker intentionally introduces leading characters that enable getting the input past the filters. The API that is being targeted, ignores the leading "ghost" characters, and therefore processes the attackers' input. This occurs when the targeted API will accept input data in several syntactic forms and interpret it in the equivalent semantic way, while the filter does not take into account the full spectrum of the syntactic forms acceptable to the targeted API.
Some APIs will strip certain leading characters from a string of parameters. Perhaps these characters are considered redundant, and for this reason they are removed. Another possibility is the parser logic at the beginning of analysis is specialized in some way that causes some characters to be removed. The attacker can specify multiple types of alternative encodings at the beginning of a string as a set of probes.
One commonly used possibility involves adding ghost characters--extra characters that don't affect the validity of the request at the API layer. If the attacker has access to the API libraries being targeted, certain attack ideas can be tested directly in advance. Once alternative ghost encodings emerge through testing, the attacker can move from lab-based API testing to testing real-world service implementations. |
|Prerequisites ||The targeted API must ignore the leading ghost characters that are used to get past the filters for the semantics to be the same. |
|Solutions ||Perform white list rather than black list input validation.
Canonicalize all data prior to validation.
Take an iterative approach to input validation (defense in depth). |
|CWE ID ||Description |
|CWE-20 ||Improper Input Validation |
|CWE-41 ||Improper Resolution of Path Equivalence |
|CWE-74 ||Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection') |
|CWE-171 || |
|CWE-172 ||Encoding Error |
|CWE-173 ||Improper Handling of Alternate Encoding |
|CWE-179 ||Incorrect Behavior Order: Early Validation |
|CWE-180 ||Incorrect Behavior Order: Validate Before Canonicalize |
|CWE-181 ||Incorrect Behavior Order: Validate Before Filter |
|CWE-183 ||Permissive Whitelist |
|CWE-184 ||Incomplete Blacklist |
|CWE-697 ||Insufficient Comparison |
|CWE-707 ||Improper Enforcement of Message or Data Structure |