Unicode is one the Internet community's attempts at forming a single set of characters across all languages. Web servers such as Microsoft's Internet Information Server, IIS, supports the Unicode character set. Accepting and processing Unicode potentially leads to vulnerability exploits in the IIS Web server's reading and executing the Unicode script supplied by the attacker.
This attack is common and usually one of the first launched by attackers when an IIS Web service is found. There are easily available scripts that can be downloaded from the Internet that do not require the attacker to have any knowledge of their function before using them. The Unicode bug in IIS is basically one where a prohibited Unicode encoding of the "/" allowed users to craft URLs that could jump outside the Web document directory and call the command shell command, cmd.exe inside the Windows file system. The exploit is successful because IIS performs only one security check after the first script decode and as a result performs the request, as there is not a subsequent security check performed after the second decode pass. This vulnerability is run in the URL like this:
http://www.xyzcorporation.com/scripts/…%255c…%255cwinnt/system32/cmd.exe?/c+dir+c:\
The URL causes the IIS Web server to interpret the Unicode characters as back slashes, bypassing the normal Web server filtering for such events, and moves two directory levels above the location of the/scripts/directory, and targets the/winnt'system32/cmd.exe.
Following are some examples of double decode variations:
%255c
%%35c
%%35%63
%25%35%63
These are not the only combinations. Many more are possible. For these reasons, user-input validation becomes very important. Auditors should also examine the system and change controls Web servers receiving the latest update patches as Microsoft currently delivers an IIS patch addressing these vulnerabilities.
Cookie Pal
Cookies are small fields of text data created in a file that a browser stores and uses to maintain its state and to retrieve information from the Web server. However, if an E-commerce site is using cookies, Web servers can be fooled into delivering more information than they should. For reference, there are basically two types of cookies, session and persistent.
Session cookies remain only in the system's memory and are temporary fields of data held in the workstation until the client's browser is closed. Supposedly they are valid for the time the user is using specific Web site services. Session cookies are generally valid for finite periods of time. Unlike session cookies, persistent cookies are held on the workstation's hard disk and are read by the browser when requested to do so. For example, in Microsoft's Internet Explorer, persistent cookies are held in the C:\Documents and Settings\Administrator\Cookies directory.
The Cookie Pal application is a shareware program available at: www.kburra.net/. Cookie Pal permits control of both the session cookie and the persistent cookie before being lodged in memory or recorded on the hard drive. Basically, Cookie Pal intercepts the request in the Web server's response and displays it in a dialogue box.
Remember, cookies frequently hold user information as stored user names, passwords, preferences, mailing addresses, and online identification. It is important to note that often cookies contain a significant amount of information valuable to an attacker. Attackers do not usually have access to cookies unless they can gain access to a user's workstation. Cookie Pal allows an auditor to intercept a cookie and examine its contents. This is an extremely useful technique when auditing the cookies being placed by the organization's Web site.
A possible attacker ploy is to modify the cookie containing the number of times the Web page had been visited by a user. It may be possible to change the cookie reflecting the number of user visits with some exorbitant number of visits possibly causing a server buffer overflow to occur if the user-input is not checked for correctness.
Achilles
Achilles can be one of the more useful tools for actively auditing Web applications. It is a Windows-based utility and is capable of acting like a Web proxy, where information is captured before being sent back to the Web server. It is a free tool and available at: http://www.digizen-security.com/projects.html.
Achilles allows the user to intercept Web page information, modify it, and send it forward to the server. This ability to modify information on the fly is a tremendous ability permitting an attacker to efficiently attempt code-injection or value changes before the information goes on.
Achilles' configuration is fairly straightforward. Click on the "Intercept Server Data (text)" checkbox in Achilles, and then make a request of the Web server. The client's request will get intercepted, as well as the server's reply. The server's reply can reveal the cookies being set, management attempts on the part of the server, and any fields that may be modified later by the user before being sent onto the Web server.