CAPEC-4 - Using Alternative IP Address Encodings

This attack relies on the attacker using unexpected formats for representing IP addresses. Networked applications may expect network location information in a specific format, such as fully qualified domains names, URL, IP address, or IP Address ranges. The issue that the attacker can exploit is that these design assumptions may not be validated against a variety of different possible encodings and network address location formats. Applications that use naming for creating policy namespaces for managing access control may be susceptible to being queried directly by IP addresses, which is ultimately a more generally authoritative way of communicating on a network.

Alternative IP addresses can be used by the attacker to bypass application access control in order to gain access to data that is only protected by obscuring its location.

In addition this type of attack can be used as a reconnaissance mechanism to provide entry point information that the attacker gathers to penetrate deeper into the system.

Severity

Likelihood

Confidentiality

Integrity

Availability

  • Attack Methods 3
  • Injection
  • Protocol Manipulation
  • API Abuse
  • Purposes 1
  • Penetration
  • Scopes 1
  • Gain privileges / assume identity
  • Authorization
  • Access_Control
  • Confidentiality

Low level: The attacker has only to try IP address combinations.

The target software must fail to anticipate all of the possible valid encodings of an IP/web address.

Ability to communicate with server. Optionally, ability to capture output directly through synchronous communication or other method such as FTP.

Design: Default deny access control policies

Design: Input validation routines should check and enforce both input data types and content against a positive specification. In regards to IP addresses, this should include the authorized manner for the application to represent IP addresses and not accept user specified IP addresses and IP address formats (such as ranges)

Implementation: Perform input validation for all remote content.