Double encoding explained

Double encoding is the act of encoding data twice in a row using the same encoding scheme. It is usually used as an attack technique to bypass authorization schemes or security filters that intercept user input. In double encoding attacks against security filters, characters of the payload that are treated as illegal by those filters are replaced with their double-encoded form.

Double URI-encoding is a special type of double encoding in which data is URI-encoded twice in a row. It has been used to bypass authorization schemes and security filters against code injection, directory traversal, cross-site scripting (XSS) and SQL injection.

Description

In double encoding, data is encoded twice in a row using the same encoding scheme, that is, double-encoded form of data X is Encode(Encode(X)) where Encode is an encoding function.^[1]

Double encoding is usually used as an attack technique to bypass authorization schemes or security filters that intercept user input.^[2] In double encoding attacks against security filters, characters of the payload that are treated as illegal by those filters are replaced with their double-encoded form.^[3] Security filters might treat data X and its encoded form as illegal.^[4] However, it is still possible for Encode(Encode(X)), which is the double-encoded form of data X, to not to be treated as illegal by security filters and hence pass through them, but later on, the target system might use the double-decoded form of Encode(Encode(X)), which is X, something that the filters would have been treated as illegal.^[5]

Double URI-encoding

Double URI-encoding, also referred to as double percent-encoding, is a special type of double encoding in which data is URI-encoded twice in a row.^[6] In other words, double-URI-encoded form of data X is URI-encode(URI-encode(X)).^[7] For example for calculating double-URI-encoded form of <, first < is URI-encoded as %3C which then in turn is URI-encoded as %253C, that is, double-URI-encode(<) = URI-encode(URI-encode(<)) = URI-encode(%3C) = %253C.^[8] As another example, for calculating double-URI-encoded form of ../, first ../ is URI-encoded as %2E%2E%2F which then in turn is URI-encoded as %252E%252E%252F, that is, double-URI-encode(../) = URI-encode(URI-encode(../)) = URI-encode(%2E%2E%2F) = %252E%252E%252F.^[9]

Double URI-encoding is usually used as an attack technique against web applications and web browsers to bypass authorization schemes and security filters that intercept user input.^{[10] [11]} For example because . and its URI-encoded form %2E are used in some directory traversal attacks, they are usually treated as illegal by security filters.^[12] However, it is still possible for %252E, which is the double-URI-encoded form of ., to not to be treated as illegal by security filters and hence pass through them, but later on, when the target system is building the path related to the directory traversal attack it might use the double-URI-decoded form of %252E, which is ., something that the filters would have been treated as illegal.^[13]

Double URI-encoding attacks have been used to bypass authorization schemes and security filters against code injection, directory traversal, XSS and SQL injection.^[14]

Prevention

Decoding some user input twice using the same decoding scheme, once before a security measure and once afterwards, may allow double encoding attacks to bypass that security measure.^[15] Thus, to prevent double encoding attacks, all decoding operations on user input should occur before authorization schemes and security filters that intercept user input.^[16]

Examples

PHP

In PHP programming language, data items in $_GET and $_REQUEST are sufficiently URI-decoded and thus programmers should avoid calling the urldecode function on them.^[17] Calling the urldecode function on data that has been read from $_GET or $_REQUEST causes the data to be URI-decoded once more than it should and hence may open possibility for double URI-encoding attacks.

Directory traversal

In the following PHP program, the value of $_GET["file"] is used to build the path of the file to be sent to the user. This opens the possibility for directory traversal attacks that incorporate their payload into the HTTP GET parameter file. As a security filter against directory traversal attacks, this program searches the value it reads from $_GET["file"] for directory traversal sequences and exits if it finds one. However, after this filter, the program URI-decodes the data that it has read from $_GET["file"], which makes it vulnerable to double URI-encoding attacks.

/* Security filter *//* Exit if user input contains directory traversal sequence */if (strstr($path, "../") or strstr($path, "..\\"))

/* URI-decode user input once again */$path = urldecode($path);

/* Build file path to be sent using user input */echo htmlentities(file_get_contents("uploads/" . $path));This filter prevents payloads such as ../../../../etc/passwd and its URI-encoded form %2E%2E%2F%2E%2E%2F%2E%2E%2F%2E%2E%2Fetc%2Fpasswd. However, %252E%252E%252F%252E%252E%252F%252E%252E%252F%252E%252E%252Fetc%252Fpasswd, which is the double-URI-encoded form of ../../../../etc/passwd, will bypass this filter. When double-URI-encoded payload %252E%252E%252F%252E%252E%252F%252E%252E%252F%252E%252E%252Fetc%252Fpasswd is used, the value of $_GET["file"] will be %2E%2E%2F%2E%2E%2F%2E%2E%2F%2E%2E%2Fetc%2Fpasswd which doesn't contain any directory traversal sequence and thus passes through the filter and will be given to the urldecode function which returns ../../../../etc/passwd, resulting in a successful attack.

XSS

In the following PHP program, the value of $_GET["name"] is used to build a message to be shown to the user. This opens the possibility for XSS attacks that incorporate their payload into the HTTP GET parameter name. As a security filter against XSS attacks, this program sanitizes the value it reads from $_GET["name"] via the htmlentities function. However, after this filter, the program URI-decodes the data that it has read from $_GET["name"], which makes it vulnerable to double URI-encoding attacks.

/* Security filter *//* Sanitize user input via htmlentity */$name = htmlentities($name);

/* URI-decode user input once again */$name = urldecode($name);

/* Build message to be shown using user input */echo "Hello " . $name;This filter prevents payloads such as <script>alert(1)</script> and its URI-encoded form %3Cscript%3Ealert%281%29%3C%2Fscript%3E. However, %253Cscript%253Ealert%25281%2529%253C%252Fscript%253E, which is the double-URI-encoded form of <script>alert(1)</script>, will bypass this filter. When double-URI-encoded payload %253Cscript%253Ealert%25281%2529%253C%252Fscript%253E is used, the value of $_GET["name"] will be %3Cscript%3Ealert%281%29%3C%2Fscript%3E which doesn't contain any illegal character and thus passes through the htmlentities function without any change and will be given to the urldecode function which returns <script>alert(1)</script>, resulting in a successful attack.

Sources

• Web site: CAPEC-120: Double Encoding . 3.7 . CAPEC . Common Attack Pattern Enumeration and Classification . 2022 . capec.mitre.org . 23 July 2022.
• Web site: CWE . Common Weakness Enumeration . CWE-174: Double Decoding of the Same Data . 4.8 . 2022 . cwe.mitre.org . 23 July 2022.
• Web site: Imperva . Imperva . Double URL Encoding . 2022 . docs.imperva.com . 23 July 2022.
• Web site: OWASP . OWASP . Double Encoding . 2022 . owasp.org . 23 July 2022.
• Web site: PHP . PHP . urldecode . 2022 . php.net . 23 July 2022.
• Web site: PortSwigger . Obfuscating attacks using encodings . Obfuscation via double URL encoding . 2022 . portswigger.net . 23 July 2022.
• Book: Prasad . Prakhar . Mastering Modern Web Penetration Testing . 2016 . Packt Publishing . 978-1785284588 . Double encoding . https://subscription.packtpub.com/book/networking-&-servers/9781785284588/1/ch01lvl1sec11/double-encoding . limited . 11–14.

External links

• OWASP entry for double encoding attacks
• CAPEC entry for double encoding attacks
• CWE entry for the weakness exploited by double encoding attacks

Notes and References

1. . "The adversary utilizes a repeating of the encoding process for a set of characters (that is, character encoding a character encoding of a character) to obfuscate the payload of a particular request."
2. . "This[double encoding] may allow the adversary to bypass filters that attempt to detect illegal characters or strings, such as those that might be used in traversal or injection attacks [...] For instance, by double encoding certain characters in the URL (e.g. dots and slashes) an adversary may try to get access to restricted resources on the web server or force browse to protected pages (thus subverting the authorization service). An adversary can also attempt other injection style attacks using this attack pattern: command injection, SQL injection, etc."
3. . "This[double encoding] may allow the adversary to bypass filters that attempt to detect illegal characters or strings, such as those that might be used in traversal or injection attacks. [...] Try double-encoding for parts of the input in order to try to get past the filters."
4. . "By using double encoding it’s possible to bypass security filters that only decode user input once."
5. . "By using double encoding it’s possible to bypass security filters that only decode user input once. The second decoding process is executed by the backend platform or modules that properly handle encoded data, but don’t have the corresponding security checks in place."
6. . "Double percent encoding is the same as percent encoding with a twist that each character is encoded twice instead of once."
7. . "Double percent encoding is the same as percent encoding with a twist that each character is encoded twice instead of once."
8. . "So if I had to encode < using double encoding, I'll first encode it into its percent-encoded format, which is %3c and then again percent encode the % character. The result of this will be %253c."
9. . "For example, ../ (dot-dot-slash) characters represent %2E%2E%2F in hexadecimal representation. When the % symbol is encoded again, its representation in hexadecimal code is %25. The result from the double encoding process ../ (dot-dot-slash) would be %252E%252E%252F"
10. . "This technique[double percent encoding] comes in pretty handy when attempting to evade filters which attempt to blacklist certain encoded characters"
11. . "For instance, by double encoding certain characters in the URL (e.g. dots and slashes) an adversary may try to get access to restricted resources on the web server or force browse to protected pages (thus subverting the authorization service). An adversary can also attempt other injection style attacks using this attack pattern: command injection, SQL injection, etc."
12. . "For example, a dot (.), often used in path traversal attacks and therefore often blocked by filters, could be URL encoded as %2E. However, many filters recognize this encoding and would still block the request."
13. . "In a double encoding, the % in the above URL encoding would be encoded again as %25, resulting in %252E which some filters might not catch, but which could still be interpreted as a dot (.) by interpreters on the target."
14. .
15. . "The software decodes the same input twice, which can limit the effectiveness of any protection mechanism that occurs in between the decoding operations."
16. . "Inputs should be decoded and canonicalized to the application's current internal representation before being validated (CWE-180)."
17. . "Warning: The superglobals $_GET and $_REQUEST are already decoded. Using urldecode on an element in $_GET or $_REQUEST could have unexpected and dangerous results."