| Name |
Using Alternative IP Address Encodings |
|
| Likelyhood of attack |
Typical severity |
| Medium |
High |
|
| Summary |
This attack relies on the attacker using unexpected formats for representing IP addresses. Networked applications may expect network location information in a specific format, such as fully qualified domains names (FQDNs), URL, IP address, or IP Address ranges. If the location information is not validated against a variety of different possible encodings and formats, the adversary can use an alternate format to bypass application access control. |
| Prerequisites |
The target software must fail to anticipate all of the possible valid encodings of an IP/web address. The adversary must have the ability to communicate with the server. |
| Solutions | Design: Default deny access control policies Design: Input validation routines should check and enforce both input data types and content against a positive specification. In regards to IP addresses, this should include the authorized manner for the application to represent IP addresses and not accept user specified IP addresses and IP address formats (such as ranges) Implementation: Perform input validation for all remote content. |
| Related Weaknesses |
|
CWE ID
|
Description
|
| CWE-173 |
Improper Handling of Alternate Encoding |
| CWE-291 |
Reliance on IP Address for Authentication |
|
| Related CAPECS |
|
CAPEC ID
|
Description
|
| CAPEC-267 |
An adversary leverages the possibility to encode potentially harmful input or content used by applications such that the applications are ineffective at validating this encoding standard. |
|