|
Naziv
|
Using Unicode Encoding to Bypass Validation Logic
|
|
Sažetak
|
An attacker may provide a Unicode string to a system component that is not Unicode aware and use that to circumvent the filter or cause the classifying mechanism to fail to properly understanding the request. That may allow the attacker to slip malicious data past the content filter and/or possibly cause the application to route the request incorrectly.
|
|
Preduvjeti
|
Filtering is performed on data that has not be properly canonicalized.
|
|
Rješenja
|
['Ensure that the system is Unicode aware and can properly process Unicode data. Do not make an assumption that data will be in ASCII.', 'Ensure that filtering or input validation is applied to canonical data.', 'Assume all input is malicious. Create an allowlist that defines all valid input to the software system based on the requirements specifications. Input that does not match against the allowlist should not be permitted to enter into the system.']
|
