🐉 neospace ~

📝 Latest Posts

Bypassing Filters

Jun 08, 20252 min read

Bypassing Web Application Input Filters: A Common Attack Vector

Web applications frequently employ input filters and sanitization techniques to protect against attacks like SQL Injection, Cross-Site Scripting (XSS), and Command Injection. These filters typically restrict input characters and patterns, often removing potentially harmful characters such as quotation marks (”, ’) and semicolons (;).

However, attackers can bypass these filters by exploiting weaknesses in their logic. Filters often focus on blocking specific characters or patterns, neglecting various encoding methods. Attackers leverage this by using alternative representations of harmful characters, achieving the same malicious effect without triggering the filter.

Common Bypass Techniques:

  • Hexadecimal Encoding: Representing characters using their hexadecimal equivalents (e.g., ” becomes %22). This is a widely used technique because many filters don’t check for encoded characters.

  • URL Encoding: Similar to hexadecimal encoding, this method uses URL-encoded characters (e.g., ” becomes %22). This is particularly effective for bypassing filters in URL parameters or query strings.

  • Other Encoding Methods: Base64, Unicode, and other encoding schemes can also be employed to obfuscate malicious input.

Example: SQL Injection Bypass

A filter might block the quotation mark (”) to prevent SQL injection. An attacker could bypass this by using its hexadecimal equivalent, %22, within an SQL query.

  • Malicious Input: admin" OR 1=1 --
  • Filtered Input (if filter removes”): admin OR 1=1 --
  • Bypassed Input: admin%22 OR 1=1 -- (decoded as the original malicious input)

The Attacker’s Goal:

The core principle is to submit data in a different format that the application still interprets as malicious code. The encoding obfuscates the harmful characters, but the application’s underlying processes decode them, resulting in the intended attack. Another example involves bypassing filters that block -- (SQL comment) by using /* (SQL block comment) instead.

Summary:

Input filters are a crucial security measure, but their effectiveness depends on their thoroughness. Attackers can circumvent these filters by using various encoding methods to represent harmful characters in a format the filter doesn’t recognize. This highlights the importance of robust input validation and sanitization techniques that account for multiple encoding methods and potential attack vectors. Relying solely on blacklisting specific characters is insufficient; a more comprehensive approach is necessary.

Resources

https://github.com/payloadbox/command-injection-payload-list

Graph View

Backlinks