http_inspect DOUBLE DECODING ATTACK

Trigger

This event is generated when double encoded characters are detected in web traffic. This is abnormal behavior and may be an indicator of a possible attack against a vulnerable system.

This may also be an attempt to evade an IDS.

Affected systems

Microsoft IIS Servers

Scenario

An attacker might double encode the request to the web server, this may then evade an IDS monitoring traffic and could then launch a successful attack without being detected.

Example

Both following URLs trigger the alert:

• http%3a%2f%2fwww.aldeid.com%2findex.php%3fpath%3d..%2f..%2fetc%2fpasswd
• http://www.somesite.com/index.php/Sp%25C3%25A9cial:Suivi_des_liens/page