Double encoding

Double encoding is the act of encoding data twice in a row using the same encoding scheme. It is usually used as an attack technique to bypass authorization schemes or security filters that intercept user input. In double encoding attacks against security filters, characters of the payload that are treated as illegal by those filters are replaced with their double-encoded form.

Double URI-encoding is a special type of double encoding in which data is URI-encoded twice in a row. It has been used to bypass authorization schemes and security filters against code injection, directory traversal, cross-site scripting (XSS) and SQL injection.

Description
In double encoding, data is encoded twice in a row using the same encoding scheme, that is, double-encoded form of data  is   where   is an encoding function.

Double encoding is usually used as an attack technique to bypass authorization schemes or security filters that intercept user input. In double encoding attacks against security filters, characters of the payload that are treated as illegal by those filters are replaced with their double-encoded form. Security filters might treat data  and its encoded form as illegal. However, it is still possible for, which is the double-encoded form of data  , to not to be treated as illegal by security filters and hence pass through them, but later on, the target system might use the double-decoded form of  , which is  , something that the filters would have been treated as illegal.

Double URI-encoding
Double URI-encoding, also referred to as double percent-encoding, is a special type of double encoding in which data is URI-encoded twice in a row. In other words, double-URI-encoded form of data  is. For example for calculating double-URI-encoded form of, first   is URI-encoded as   which then in turn is URI-encoded as  , that is,. As another example, for calculating double-URI-encoded form of, first   is URI-encoded as   which then in turn is URI-encoded as  , that is,.

Double URI-encoding is usually used as an attack technique against web applications and web browsers to bypass authorization schemes and security filters that intercept user input. For example because  and its URI-encoded form   are used in some directory traversal attacks, they are usually treated as illegal by security filters. However, it is still possible for, which is the double-URI-encoded form of  , to not to be treated as illegal by security filters and hence pass through them, but later on, when the target system is building the path related to the directory traversal attack it might use the double-URI-decoded form of  , which is  , something that the filters would have been treated as illegal.

Double URI-encoding attacks have been used to bypass authorization schemes and security filters against code injection, directory traversal, XSS and SQL injection.

Prevention
Decoding some user input twice using the same decoding scheme, once before a security measure and once afterwards, may allow double encoding attacks to bypass that security measure. Thus, to prevent double encoding attacks, all decoding operations on user input should occur before authorization schemes and security filters that intercept user input.

PHP
In PHP programming language, data items in  and   are sufficiently URI-decoded and thus programmers should avoid calling the   function on them. Calling the  function on data that has been read from   or   causes the data to be URI-decoded once more than it should and hence may open possibility for double URI-encoding attacks.

Directory traversal
In the following PHP program, the value of  is used to build the path of the file to be sent to the user. This opens the possibility for directory traversal attacks that incorporate their payload into the HTTP GET parameter. As a security filter against directory traversal attacks, this program searches the value it reads from  for directory traversal sequences and exits if it finds one. However, after this filter, the program URI-decodes the data that it has read from, which makes it vulnerable to double URI-encoding attacks. This filter prevents payloads such as  and its URI-encoded form. However,, which is the double-URI-encoded form of  , will bypass this filter. When double-URI-encoded payload  is used, the value of   will be   which doesn't contain any directory traversal sequence and thus passes through the filter and will be given to the   function which returns , resulting in a successful attack.

XSS
In the following PHP program, the value of  is used to build a message to be shown to the user. This opens the possibility for XSS attacks that incorporate their payload into the HTTP GET parameter. As a security filter against XSS attacks, this program sanitizes the value it reads from  via the   function. However, after this filter, the program URI-decodes the data that it has read from, which makes it vulnerable to double URI-encoding attacks. This filter prevents payloads such as  and its URI-encoded form. However,, which is the double-URI-encoded form of  , will bypass this filter. When double-URI-encoded payload  is used, the value of   will be   which doesn't contain any illegal character and thus passes through the   function without any change and will be given to the   function which returns , resulting in a successful attack.