Kingdom: Input Validation and Representation

Input validation and representation problems ares caused by metacharacters, alternate encodings and numeric representations. Security problems result from trusting input. The issues include: "Buffer Overflows," "Cross-Site Scripting" attacks, "SQL Injection," and many others.

Path Manipulation: Special Characters

Universal

Abstract

Use of unfiltered data in the selection of a requested application file path can lead to sensitive data disclosure and potential theft of proprietary business logic.

Explanation

Path manipulation errors occur when the following two conditions are met:

1. An attacker can specify a path used in an operation on the filesystem.
2. By specifying the resource, the attacker gains a capability that would not otherwise be permitted.

The cases below are a few examples of source code disclosure that can be caused by passing special characters via request parameters:

Example 1: By appending a space character ("%20"), an application might be forced into disclosing the source for any PHP file.

Example 2: Source code disclosure might also occur from a null character ("%00") appended to a file name in the request URL.

Example 3: Partial encoding of file extensions has been known to disclose the application source code (e.g. "%2ejsp", "%2ejhtml").

Example 4: Certain configurations are prone to source code disclosure issue when the "#" character is used in the extension (e.g. ".#php").

Example 5: Access restrictions implemented by certain web servers based on explicit access to /WEB-INF/ have known to be bypassed by requesting /WEB-INF./.

Example 6: Source code disclosure can occur when the "+" character is appended to the file extension in the request URL (e.g. "jsp+").

Example 7: Including the "%" character in the file name could also result in the disclosure of file source.

If an application or server fails to account for special characters passed with malicious input, severe disclosure issues can occur.

References

[1] Standards Mapping - Common Weakness Enumeration CWE ID 156, CWE ID 158

[2] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-000345, CCI-002754

[3] Standards Mapping - FIPS200 AC, SI

[4] Standards Mapping - General Data Protection Regulation (GDPR) Access Violation

[5] Standards Mapping - NIST Special Publication 800-53 Revision 4 CM-5 Access Restrictions for Change (P1), SI-10 Information Input Validation (P1)

[6] Standards Mapping - NIST Special Publication 800-53 Revision 5 CM-5 Access Restrictions for Change, SI-10 Information Input Validation

[7] Standards Mapping - OWASP Application Security Verification Standard 4.0 5.2.2 Sanitization and Sandboxing Requirements (L1 L2 L3)

[8] Standards Mapping - OWASP Mobile 2024 M4 Insufficient Input/Output Validation

[9] Standards Mapping - OWASP Top 10 2004 A1 Unvalidated Input

[10] Standards Mapping - OWASP Top 10 2007 A4 Insecure Direct Object Reference

[11] Standards Mapping - OWASP Top 10 2010 A8 Failure to Restrict URL Access

[12] Standards Mapping - OWASP Top 10 2013 A4 Insecure Direct Object References

[13] Standards Mapping - OWASP Top 10 2017 A5 Broken Access Control

[14] Standards Mapping - OWASP Top 10 2021 A01 Broken Access Control

[15] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1 Requirement 6.5.1, Requirement 6.5.2

[16] Standards Mapping - Payment Card Industry Data Security Standard Version 1.2 Requirement 6.3.1.1, Requirement 6.5.10

[17] Standards Mapping - Payment Card Industry Data Security Standard Version 2.0 Requirement 6.5.8

[18] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 6.5.8

[19] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 6.5.8

[20] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 6.5.8

[21] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 6.5.8

[22] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 6.2.4

[23] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0.1 Requirement 6.2.4

[24] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 4.2 - Critical Asset Protection, Control Objective 5.4 - Authentication and Access Control

[25] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 4.2 - Critical Asset Protection, Control Objective 5.4 - Authentication and Access Control, Control Objective B.3.1 - Terminal Software Attack Mitigation, Control Objective B.3.1.1 - Terminal Software Attack Mitigation

[26] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 4.2 - Critical Asset Protection, Control Objective 5.4 - Authentication and Access Control, Control Objective B.3.1 - Terminal Software Attack Mitigation, Control Objective B.3.1.1 - Terminal Software Attack Mitigation, Control Objective C.2.3 - Web Software Access Controls, Control Objective C.3.2 - Web Software Attack Mitigation

[27] Standards Mapping - SANS Top 25 2010 Risky Resource Management - CWE ID 022

[28] Standards Mapping - SANS Top 25 2011 Risky Resource Management - CWE ID 022

[29] Standards Mapping - Security Technical Implementation Guide Version 3.1 APP3460 CAT I

[30] Standards Mapping - Security Technical Implementation Guide Version 3.4 APP3460 CAT I

[31] Standards Mapping - Security Technical Implementation Guide Version 3.5 APP3460 CAT I

[32] Standards Mapping - Security Technical Implementation Guide Version 3.6 APP3460 CAT I

[33] Standards Mapping - Security Technical Implementation Guide Version 3.7 APP3460 CAT I

[34] Standards Mapping - Security Technical Implementation Guide Version 3.9 APP3460 CAT I

[35] Standards Mapping - Security Technical Implementation Guide Version 3.10 APP3460 CAT I

[36] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-002560 CAT I

[37] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-002560 CAT I

[38] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-002560 CAT I

[39] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-002560 CAT I

[40] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-002560 CAT I

[41] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-002560 CAT I

[42] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-002560 CAT I

[43] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-002560 CAT I

[44] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-002560 CAT I

[45] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-002560 CAT I

[46] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-002560 CAT I

[47] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-002560 CAT I

[48] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-002560 CAT I

[49] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-002530 CAT II, APSC-DV-002560 CAT I, APSC-DV-002960 CAT II

[50] Standards Mapping - Security Technical Implementation Guide Version 6.1 APSC-DV-002530 CAT II, APSC-DV-002560 CAT I, APSC-DV-002960 CAT II

[51] Standards Mapping - Web Application Security Consortium Version 2.00 Path Traversal (WASC-33)

[52] Standards Mapping - Web Application Security Consortium 24 + 2 Insufficient Authorization

desc.dynamic.xtended_preview.path_manipulation_special_characters