Name Using Alternative IP Address Encodings
Summary This attack relies on the attacker using unexpected formats for representing IP addresses. Networked applications may expect network location information in a specific format, such as fully qualified domains names, URL, IP address, or IP Address ranges. The issue that the attacker can exploit is that these design assumptions may not be validated against a variety of different possible encodings and network address location formats. Applications that use naming for creating policy namespaces for managing access control may be susceptible to being queried directly by IP addresses, which is ultimately a more generally authoritative way of communicating on a network. Alternative IP addresses can be used by the attacker to bypass application access control in order to gain access to data that is only protected by obscuring its location. In addition this type of attack can be used as a reconnaissance mechanism to provide entry point information that the attacker gathers to penetrate deeper into the system.
Prerequisites The target software must fail to anticipate all of the possible valid encodings of an IP/web address.
Solutions Design: Default deny access control policies Design: Input validation routines should check and enforce both input data types and content against a positive specification. In regards to IP addresses, this should include the authorized manner for the application to represent IP addresses and not accept user specified IP addresses and IP address formats (such as ranges) Implementation: Perform input validation for all remote content.
Related Weaknesses
CWE ID Description
CWE-41 Improper Resolution of Path Equivalence
CWE-180 Incorrect Behavior Order: Validate Before Canonicalize
CWE-291 Reliance on IP Address for Authentication
CWE-345 Insufficient Verification of Data Authenticity
CWE-697 Insufficient Comparison
CWE-707 Improper Enforcement of Message or Data Structure
Back to Top