|Name ||Using UTF-8 Encoding to Bypass Validation Logic |
|Summary ||This attack is a specific variation on leveraging alternate encodings to bypass validation logic. This attack leverages the possibility to encode potentially harmful input in UTF-8 and submit it to applications not expecting or effective at validating this encoding standard making input filtering difficult. UTF-8 (8-bit UCS/Unicode Transformation Format) is a variable-length character encoding for Unicode. Legal UTF-8 characters are one to four bytes long. However, early version of the UTF-8 specification got some entries wrong (in some cases it permitted overlong characters). UTF-8 encoders are supposed to use the "shortest possible" encoding, but naive decoders may accept encodings that are longer than necessary. According to the RFC 3629, a particularly subtle form of this attack can be carried out against a parser which performs security-critical validity checks against the UTF-8 encoded form of its input, but interprets certain illegal octet sequences as characters. |
|Prerequisites ||The application's UTF-8 decoder accepts and interprets illegal UTF-8 characters or non-shortest format of UTF-8 encoding.
Input filtering and validating is not done properly leaving the door open to harmful characters for the target host. |
|Solutions ||The Unicode Consortium recognized multiple representations to be a problem and has revised the Unicode Standard to make multiple representations of the same code point with UTF-8 illegal. The UTF-8 Corrigendum lists the newly restricted UTF-8 range (See references). Many current applications may not have been revised to follow this rule. Verify that your application conform to the latest UTF-8 encoding specification. Pay extra attention to the filtering of illegal characters.
Another consideration is error recovery. To guarantee correct recovery after corrupt or lost bytes, decoders must be able to recognize the difference between lead and trail bytes, rather than just assuming that bytes will be of the type allowed in their position.
For security reasons, a UTF-8 decoder must not accept UTF-8 sequences that are longer than necessary to encode a character. If you use a parser to decode the UTF-8 encoding, make sure that parser filter the invalid UTF-8 characters (invalid forms or overlong forms).
Look for overlong UTF-8 sequences starting with malicious pattern. You can also use a UTF-8 decoder stress test to test your UTF-8 parser (See Markus Kuhn's UTF-8 and Unicode FAQ in reference section)
Assume all input is malicious. Create a white list that defines all valid input to the software system based on the requirements specifications. Input that does not match against the white list should not be permitted to enter into the system. Test your decoding process against malicious input. |
|CWE ID ||Description |
|CWE-20 ||Improper Input Validation |
|CWE-21 ||Pathname Traversal and Equivalence Errors |
|CWE-73 ||External Control of File Name or Path |
|CWE-74 ||Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection') |
|CWE-171 ||Cleansing, Canonicalization, and Comparison Errors |
|CWE-172 ||Encoding Error |
|CWE-173 ||Improper Handling of Alternate Encoding |
|CWE-180 ||Incorrect Behavior Order: Validate Before Canonicalize |
|CWE-181 ||Incorrect Behavior Order: Validate Before Filter |
|CWE-692 ||Incomplete Blacklist to Cross-Site Scripting |
|CWE-697 ||Incorrect Comparison |