In a zone-based model, pages belong to one of a set of zones corresponding to the level of privilege assigned to that page. This is a privilege elevation attack targeted at zone-based web-browser security. ![]() It can be difficult to protect against this attack since the URL can contain other format of encoding such as UTF-8 encoding, Unicode-encoding, etc.Īn attacker is able to cause a victim to load content into their web-browser that bypasses security zone controls and gain access to increased privileges to execute scripting code or other web objects such as unsigned ActiveX controls or applets. An attacker will try to craft an URL with a sequence of special characters which once interpreted by the server will be equivalent to a forbidden URL. Since the server decodes the URL from the requests, it may restrict the access to some URL paths by validating and filtering out the URL requests it received. This is often referred as escaped ending or percent-encoding. For instance US-ASCII space character would be represented with %20. Special characters are represented using a percentage character followed by two digits representing the octet code of the original character (%HEX-CODE). A URL may contain special character that need special syntax handling in order to be interpreted. An attacker can take advantage of the multiple ways of encoding a URL and abuse the interpretation of the URL. ![]() Re: watchdog.This attack targets the encoding of the URL combined with the encoding of the slash characters.
0 Comments
Leave a Reply. |