312-50V11 · Question #691
Take a look at the following attack on a Web Server using obstructed URL: How would you protect from these attacks?
The correct answer is B. Create rules in IDS to alert on strange Unicode requests. Obfuscated URL attacks use Unicode or hex encoding to bypass signature-based filters; deploying IDS rules to detect anomalous Unicode patterns in requests is the recommended detection control.
Question
Take a look at the following attack on a Web Server using obstructed URL:
How would you protect from these attacks?
Exhibit
Options
- AConfigure the Web Server to deny requests involving "hex encoded" characters
- BCreate rules in IDS to alert on strange Unicode requests
- CUse SSL authentication on Web Servers
- DEnable Active Scripts Detection at the firewall and routers
How the community answered
(28 responses)- A4% (1)
- B79% (22)
- C7% (2)
- D11% (3)
Why each option
Obfuscated URL attacks use Unicode or hex encoding to bypass signature-based filters; deploying IDS rules to detect anomalous Unicode patterns in requests is the recommended detection control.
Blocking all hex-encoded characters at the web server level would break legitimate functionality, as percent-encoding is a required part of the URI specification for many valid requests.
Creating IDS rules to alert on strange or anomalous Unicode requests is the appropriate control because obfuscated URL attacks rely on encoding sequences (e.g., %u002f, double-encoding) to evade static pattern filters on the server. An IDS inspects decoded request payloads and can flag suspicious encoding patterns before or after they reach the web server, providing detection coverage that the web server itself may miss.
SSL/TLS authentication encrypts the channel and verifies identity but performs no inspection of URL encoding patterns or malicious payload content.
Active Scripts Detection targets scripting-based attack vectors and does not specifically identify or block Unicode or hex URL obfuscation techniques.
Concept tested: IDS detection of Unicode URL obfuscation attacks
Source: https://owasp.org/www-community/attacks/Unicode_Encoding
Topics
Community Discussion
No community discussion yet for this question.
