CAPEC-78: Using Escaped Slashes in Alternate Encoding
ID
CAPEC-78
Typical Severity
High
Likelihood Of Attack
High
Status
Draft
This attack targets the use of the backslash in alternate encoding. An adversary can provide a backslash as a leading character and causes a parser to believe that the next character is special. This is called an escape. By using that trick, the adversary tries to exploit alternate ways to encode the same character which leads to filter problems and opens avenues to attack.
Weaknesses
| # ID | Name | Type |
|---|---|---|
| CWE-20 | Improper Input Validation | weakness |
| CWE-22 | Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') | weakness |
| CWE-73 | External Control of File Name or Path | weakness |
| CWE-74 | Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection') | weakness |
| CWE-172 | Encoding Error | weakness |
| CWE-173 | Improper Handling of Alternate Encoding | weakness |
| CWE-180 | Incorrect Behavior Order: Validate Before Canonicalize | weakness |
| CWE-181 | Incorrect Behavior Order: Validate Before Filter | weakness |
| CWE-697 | Incorrect Comparison | weakness |
| CWE-707 | Improper Neutralization | weakness |