|Name ||Exploiting Multiple Input Interpretation Layers |
|Summary ||An attacker supplies the target software with input data that contains sequences of special characters designed to bypass input validation logic. This exploit relies on the target making multiples passes over the input data and processing a "layer" of special characters with each pass. In this manner, the attacker can disguise input that would otherwise be rejected as invalid by concealing it with layers of special/escape characters that are stripped off by subsequent processing steps.
The goal is to first discover cases where the input validation layer executes before one or more parsing layers. That is, user input may go through the following logic in an application:
In such cases, the attacker will need to provide input that will pass through the input validator, but after passing through parser2, will be converted into something that the input validator was supposed to stop. |
|Prerequisites ||User input is used to construct a command to be executed on the target system or as part of the file name.
Multiple parser passes are performed on the data supplied by the user. |
|Solutions ||An iterative approach to input validation may be required to ensure that no dangerous characters are present. It may be necessary to implement redundant checking across different input validation layers. Ensure that invalid data is rejected as soon as possible and do not continue to work with it.
Make sure to perform input validation on canonicalized data (i.e. data that is data in its most standard form). This will help avoid tricky encodings getting past the filters.
Assume all input is malicious. Create a white list that defines all valid input to the software system based on the requirements specifications. Input that does not match against the white list should not be permitted to enter into the system. |
|CWE ID ||Description |
|CWE-20 ||Improper Input Validation |
|CWE-74 ||Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection') |
|CWE-77 ||Improper Neutralization of Special Elements used in a Command ('Command Injection') |
|CWE-78 ||Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') |
|CWE-171 || |
|CWE-179 ||Incorrect Behavior Order: Early Validation |
|CWE-181 ||Incorrect Behavior Order: Validate Before Filter |
|CWE-183 ||Permissive Whitelist |
|CWE-184 ||Incomplete Blacklist |
|CWE-697 ||Insufficient Comparison |
|CWE-707 ||Improper Enforcement of Message or Data Structure |