Double Encoding is an attack technique that can be used to bypass certain blacklisting-filter mechanism. Suppose an application is trying to blacklist the ‘#’ character in an user-provided URL. First, the web application have to decode the user-provided URL (in case the attacker tries to encode the ‘#’ character.
Below is a pseudo-code example of a blacklisting function:
function blacklist_filter(url):
decoded_url = url_decode(url)
if '#' is in decoded_url:
throw error
else: return decoded_url
But it turns out that the attacker can perform the encoding twice in order to bypass the blacklisting filter.
First Encoding: '#' -> %23
Second Encoding: %23 -> %2523
function blacklist_filter(url = 'www.example.com%2523'):
decoded_url = url_decode(url) // decoded_url equals to www.example.com%23
if '#' is in decoded_url:
throw error
else: return decoded_url
To improve this blacklisting method, the application can try to search for both the ‘#’ character and the encoded value ‘%23’ before using the decoded_url. As a result, the blacklist of the ‘#’ character as well as its encoded form will be prevented from being used in the URL.
function improved_blacklist_filter(url = 'www.example.com%2523'):
decoded_url = url_decode(url) // decoded_url equals to www.example.com%23
if '#' or ' %23' is in decoded_url:
throw error
else: return decoded_url
You can use this blogpost to as a tip for solving the Web Security Academy Lab:
https://portswigger.net/web-security/ssrf/lab-ssrf-with-whitelist-filter
Resources:
- Chapter 1, Mastering Modern Web Penetration Testing
- https://www.owasp.org/index.php/Double_Encoding
- https://en.wikipedia.org/wiki/Double_encoding