Last updated on: 2023-03-19 09:20:47.
Evasion Techniques Sub-Violations Description¶
Sub Violation Name | Description |
---|---|
Trailing slash | The system checks that the URL does not end with a slash. The trailing slash is removed as part of URL normalization only if this sub-violation is enabled or learned. |
Trailing dot | The system checks that there is no trailing dot in the URL. The trailing dot is removed as part of URL normalization only if this sub-violation is enabled or learned. |
Semicolon path parameters | The system checks that there is no unencoded ‘;’ (semicolon) in the URL. |
Bad unescape | The system detects illegal HEX encoding. Reports unescaping errors (such as %RR). |
Apache whitespace | The system detects the following characters in the URI: 9 (0x09), 11 (0x0B), 12 (0x0C), and 13 (0x0D). |
Bare byte decoding | The system detects higher ASCII bytes (greater than 127). |
IIS Unicode codepoints | Handles the mapping of IIS specific non-ASCII codepoints. Indicates that, when a character is greater than ‘0x00FF’, the system decodes %u according to an ANSI Latin 1 (Windows 1252) code page mapping. For example, the system turns a%u2044b to a/b. The system performs this action on URI and parameter input. |
IIS backslashes | Normalizes backslashes (\) to slashes (/) for further processing. |
%u decoding | Performs Microsoft %u unicode decoding (%UXXXX where X is a hexadecimal digit). For example, the system turns a%u002fb to a/b. The system performs this action on URI and parameter input to evaluate if the request contains an attack. |
Multiple decoding | The system decodes URI and parameter values multiple times according to the number specified before the request is considered an evasion. |
Directory traversals | Ensures that directory traversal commands like ../ are not part of the URL. While requests generated by a browser should not contain directory traversal instructions, sometimes requests generated by JavaScript have them. |
Multiple slashes | The system checks that there is no more than one slash between URL segments. |