CAPEC-120: Double Encoding
The adversary utilizes a repeating of the encoding process for a set of characters (that is, character encoding a character encoding of a character) to obfuscate the payload of a particular request. This may allow the adversary to bypass filters that attempt to detect illegal characters or strings, such as those that might be used in traversal or injection attacks. Filters may be able to catch illegal encoded strings, but may not catch doubly encoded strings. For example, a dot (.), often used in path traversal attacks and therefore often blocked by filters, could be URL encoded as %2E. However, many filters recognize this encoding and would still block the request. In a double encoding, the % in the above URL encoding would be encoded again as %25, resulting in %252E which some filters might not catch, but which could still be interpreted as a dot (.) by interpreters on the target.
Weaknesses
| # ID | Name | Type |
|---|---|---|
| CWE-20 | Improper Input Validation | weakness |
| CWE-74 | Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection') | weakness |
| CWE-172 | Encoding Error | weakness |
| CWE-173 | Improper Handling of Alternate Encoding | weakness |
| CWE-177 | Improper Handling of URL Encoding (Hex Encoding) | weakness |
| CWE-181 | Incorrect Behavior Order: Validate Before Filter | weakness |
| CWE-183 | Permissive List of Allowed Inputs | weakness |
| CWE-184 | Incomplete List of Disallowed Inputs | weakness |
| CWE-692 | Incomplete Denylist to Cross-Site Scripting | weakness |
| CWE-697 | Incorrect Comparison | weakness |