|Name ||Using Alternative IP Address Encodings |
|Summary ||This attack relies on the attacker using unexpected formats for representing IP addresses. Networked applications may expect network location information in a specific format, such as fully qualified domains names, URL, IP address, or IP Address ranges. The issue that the attacker can exploit is that these design assumptions may not be validated against a variety of different possible encodings and network address location formats. Applications that use naming for creating policy namespaces for managing access control may be susceptible to being queried directly by IP addresses, which is ultimately a more generally authoritative way of communicating on a network.
Alternative IP addresses can be used by the attacker to bypass application access control in order to gain access to data that is only protected by obscuring its location.
In addition this type of attack can be used as a reconnaissance mechanism to provide entry point information that the attacker gathers to penetrate deeper into the system. |
|Prerequisites ||The target software must fail to anticipate all of the possible valid encodings of an IP/web address. |
|Solutions ||Design: Default deny access control policies
Design: Input validation routines should check and enforce both input data types and content against a positive specification. In regards to IP addresses, this should include the authorized manner for the application to represent IP addresses and not accept user specified IP addresses and IP address formats (such as ranges)
Implementation: Perform input validation for all remote content. |
|CWE ID ||Description |
|CWE-41 ||Improper Resolution of Path Equivalence |
|CWE-180 ||Incorrect Behavior Order: Validate Before Canonicalize |
|CWE-291 ||Reliance on IP Address for Authentication |
|CWE-345 ||Insufficient Verification of Data Authenticity |
|CWE-697 ||Insufficient Comparison |
|CWE-707 ||Improper Enforcement of Message or Data Structure |