White Papers
%u Encoding IDS Bypass Vulnerability
Overview
Release Date: September 5, 2001
Severity: Medium
Description: For an Intrusion Detection system to function properly it must have the ability to be able to decode (break down) various forms of HTTP encoded requests such as UTF and hex encoding. Most commercial and freeware IDS (Intrusion Detection Systems) do have the ability to break down UTF and hex encoded request in an effort to analyze them for attack strings.
The two mainstream ways of encoding a url would be UTF (%xx%xx) or just plain hex encode (%xx) where xx are the relevant hex values. Microsoft's IIS Web server does include both of these types of encoding however it also includes a third style of encoding that is not a HTTP standard. Therefore most IDS systems were not aware of this "different" encoding and therefore do not try to decode it.
This "different" style of encoding is known as %u encoding. The purpose of this %u encoding seems to be for the ability to represent true Unicode/wide character strings.
Since %u encoding is not a standard and IDS systems do not decode %u strings, it is possible for an attacker to %u encode his/her attack against an IIS web server without an IDS system detecting the attack. Therefore allowing an attacker to successfully perform scans and attacks against IIS web servers without IDS systems detecting the attacks.
| Publisher | eEye | File Format | HTML |
|---|---|---|---|
| Date Published | September 2001 | ||
| Format | White Papers | ||
| Topics |
|
||
-
Did you find this white paper useful? 1 out of 2 users found this white paper useful
White Paper RSS
Download
Register
