This document discusses weaknesses in data normalization that can lead to vulnerabilities. It covers issues at various levels including protocol (e.g. double URL encoding bypassing validation), filesystem (e.g. path traversal using unusual encodings), databases (e.g. truncation or encoding issues), and applications (e.g. bypassing input sanitization with multibyte encodings). The key message is that input validation needs to consider challenges across all these levels from protocols to storage to properly prevent attacks exploiting normalization weaknesses.

1. Data normalization
weaknesses
@d0znpp
VolgaCTF, 03/09/2013

2. Intro
• Researcher, bug-hunter, CEO
• Web application security in depth
• @d0znpp personal twitter
• lab.onsec.ru our blog (@ONsec_lab)

3. What is normalization?
• Transferring and storing data are always
accompanied by their formatting
• First normalization than formatting
• Encoding (different charsets)
• Truncation (limited sizes)
• Trims
• Canonizations
• ...

4. Data normalization or input
validation weaknesses?

5. Web application basics
• Client-Server model
• Client is browser (Chrome, Safari, IE, FF)
• Server is web server software (Nginx,
Apache)
• Application server (FastCGI,Tomcat)
• Database storage (SQL or noSQL)

6. Web application
example. Depth #1
Browser WebServer
Database
AppServer
HTTP FCGI SQL

7. Web application
example. Depth #2
Browser WebServer
Database
AppServer
HTTP FCGI SQL
Operation System
File System
FS driver

8. Web application
example. Depth #3
Browser WebServer
Database
AppServer
HTTP FCGI SQL
OS
File System
FS driver
Network layer

9. Protocol level
normalization
Browser WebServer
Database
AppServer
HTTP FCGI SQL
OS
File System
FS driver
Network layer

10. Protocol level
normalization
• Urlencoding - what could be simpler?
• %22 to «
• %23 to #
• %25 to %
• Double url-encoding is basic bypass for
many input validators, right?

11. 2+ urlencoding
Why not?!
Browser Frontend Backend
HTTP FCGI
OS
Balancer
HTTP
%252527 %2527 %27
Input
validator

12. Protocol level
normalization
Browser WebServer
Database
AppServer
HTTP FCGI SQL
OS
File System
FS driver
Network layer

13. Protocol level
normalization
• HTTP parameter pollution
• https://www.owasp.org/images/b/ba/
AppsecEU09_CarettoniDiPaola_v0.8.pdf
• ?id=1&id=2 id=1,2
• HTTP parameter contamination
• http://netsec.rs/files/Http%20Parameter
%20Contamination%20-%20Ivan%20Markovic
%20NSS.pdf
• ?load[file ?load_file

14. Protocol level
normalization
• Something new?
• Why only parameters?
• Let’s try to fuzz smth else! :)
• GET{F}/{F}HTTP.1.1
• {F} = 0x09, 0x0b, 0x0c, 0x0d, 0x32
• Apache/2.2.22 (Unix)
• GET / bla-bla bla bla bla ehohoh
Valid packet!

15. File paths normalization
Browser WebServer
Database
AppServer
HTTP FCGI SQL
OS
File System
FS driver
Network layer

16. Filesystem names
canonization
• Path Traversal
• /../../../../../../etc/passwd
• Normalization
• http://www.ush.it/2009/02/08/php-
filesystem-attack-vectors/
• http://onsec.ru/
onsec.whitepaper-02.eng.pdf

17. Filesystem names
canonization
• Normalization
• /etc/passwd//////////////////////////////////.php
• C:boot.<<
• C:boot’‘ini
• C:boot.in>

18. Database storing
normalization
Browser WebServer
Database
AppServer
HTTP FCGI SQL
OS
File System
FS driver
Network layer

19. Database storing
normalization
• Encodings
• Client encoding
• Storing encoding
• Trim
• Size limited truncation

20. Database storing
normalization
• VARCHAR or BLOB ?
• What size limit of CREATE TABLE t1 (login
TEXT) ?
• INSERT INTO loginsVALUES
(:id, :login, :password)
• $login = « admin aa»

21. Application layer
normalization
Browser WebServer
Database
AppServer
HTTP FCGI SQL
OS
File System
FS driver
Network layer

22. Application layer
normalization
• SSRF bible. Cheatsheet
• https://docs.google.com/document/d/
1v1TkWZtrhzRLy0bYXBcdLUedXGb9nj
TNIJXa3u9akHM/#
• PHP fsockopen() url parsing tricks

23. Application layer
normalization
• Port overwriting, formatting
• localhost:81
• localhost:+81AAAAA
• localhost: 00081 AAA

24. IT IS ENCODING !!!

25. Multibyte encodings
• One byte for one char
• More bytes for one char !
• á
• 0xE1
• 0xC3A1 UTF-8 C-form
• 0x61CC81 UTF-8 D-form

26. addslashes() bypass
• http://shiflett.org/blog/2006/jan/addslashes-
versus-mysql-real-escape-string
• ’ to ’
• Replace 0x27 byte to 0x5c27
• But what about multibyte?
• 0xbf5c - valid char for GBK encoding
• 0xbf5c27 -> 0xbf5c 0x27

27. addslashes() bypass
• http://kuza55.blogspot.ru/2007/06/mysql-
injection-encoding-attacks.html
• Find all encodings where 0x5c is valid second
byte at any char
• big5, [A1-F9]
• sjis, [81-9F], [E0-FC]
• gbk, [81-FE]
• cp932, [81-9F], [E0-FC]

28. Homework!
escapeshellarg/cmd()
• Note that:
• PHP use SH by default at system(), not
BASH
• SH have no multibyte encoding
• escapeshellarg cut bytes 0x80-0xFF

29. But... escapeshellarg()
• http://lab.onsec.ru/2013/03/breaking-
escapeshellarg-news.html
• for shell no differences between
• ls -la
• ls ‘’-la’’
• ls ‘-la’
• unzip ‘-d/var/www’ - escaped, but arg!

30. PHP string encoding
http://www.php.net/manual/
language.types.string.php#language.types.string.details
• String will be encoded in whatever fashion it is encoded in
the script file
• If Zend Multibyte is enabled, the script may be written in
an arbitrary encoding (which is explicity declared or is
detected) and then converted to a certain internal
encoding, which is then the encoding that will be used for
the string literals
• State-dependent encodings where the same byte values can
be used in initial and non-initial shift states may be
problematic

31. Multibyte problems
• Lengths in chars or bytes?
• State-dependent encodings
• 0x0102 char
• 0x0203 char
• 0x01020203 two chars
• But what about case when 0x0202 is valid
char also?
• Try to find 0x0202 in this string ;)

32. Thanks for attention!
d0znpp@ONsec.ru
@d0znpp
@ONsec_lab
lab.onsec.ru