Skip to content

Usage of Double Encoding

Double Encoding is an attack technique that can be used to bypass certain blacklisting-filter mechanism. Suppose an application is trying to blacklist the ‘#’ character in an user-provided URL. First, the web application have to decode the user-provided URL (in case the attacker tries to encode the ‘#’ character.

Below is a pseudo-code example of a blacklisting function:

function blacklist_filter(url):
decoded_url = url_decode(url)
if '#' is in decoded_url:
throw error
else: return decoded_url

But it turns out that the attacker can perform the encoding twice in order to bypass the blacklisting filter.

First Encoding: '#'  -> %23
Second Encoding: %23 -> %2523
function blacklist_filter(url = 'www.example.com%2523'):
decoded_url = url_decode(url) // decoded_url equals to www.example.com%23
if '#' is in decoded_url:
throw error
else: return decoded_url

To improve this blacklisting method, the application can try to search for both the ‘#’ character and the encoded value ‘%23’ before using the decoded_url. As a result, the blacklist of the ‘#’ character as well as its encoded form will be prevented from being used in the URL.

function improved_blacklist_filter(url = 'www.example.com%2523'):
decoded_url = url_decode(url) // decoded_url equals to www.example.com%23
if '#' or ' %23' is in decoded_url:
throw error
else: return decoded_url

You can use this blogpost to as a tip for solving the Web Security Academy Lab:
https://portswigger.net/web-security/ssrf/lab-ssrf-with-whitelist-filter

Resources:

  • Chapter 1, Mastering Modern Web Penetration Testing
  • https://www.owasp.org/index.php/Double_Encoding
  • https://en.wikipedia.org/wiki/Double_encoding
Published inWeb Security

Be First to Comment

Leave a Reply

Your email address will not be published.