Detailedlikelihood: Mediumseverity: HighDraft

CAPEC-71Using Unicode Encoding to Bypass Validation Logic

Abstraction
Detailed
Status
Draft
Likelihood
Medium
Severity
High

Description

An attacker may provide a Unicode string to a system component that is not Unicode aware and use that to circumvent the filter or cause the classifying mechanism to fail to properly understanding the request. That may allow the attacker to slip malicious data past the content filter and/or possibly cause the application to route the request incorrectly.

Related weaknesses· 11

CWE-176CWE-179CWE-180CWE-173CWE-172CWE-184CWE-183CWE-74CWE-20CWE-697CWE-692

Related attack patterns· 1

CAPEC-267 (ChildOf)

Exploits11

TypeTargetConfidenceTier
WeaknessIncomplete List of Disallowed Inputscwe-184100%live
WeaknessPermissive List of Allowed Inputscwe-183100%live
WeaknessIncomplete Denylist to Cross-Site Scriptingcwe-692100%live
WeaknessImproper Handling of Alternate Encodingcwe-173100%live
WeaknessIncorrect Behavior Order: Validate Before Canonicalizecwe-180100%live
WeaknessImproper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')cwe-74100%live
WeaknessIncorrect Comparisoncwe-697100%live
WeaknessImproper Handling of Unicode Encodingcwe-176100%live
WeaknessEncoding Errorcwe-172100%live
WeaknessIncorrect Behavior Order: Early Validationcwe-179100%live
WeaknessImproper Input Validationcwe-20100%live

Related by meaning· 6

Nearest entities by semantic similarity across the cs-graph corpus.

CAPEC
Using UTF-8 Encoding to Bypass Validation Logic
CAPEC
Using Slashes and URL Encoding Combined to Bypass Validation Logic
CAPEC
URL Encoding
CAPEC
Using Escaped Slashes in Alternate Encoding
CAPEC
XSS Using Invalid Characters
CAPEC
Using Alternative IP Address Encodings
Sourced from MITRE CAPEC. Curated by Adam Lundqvist, SQUR.