nerdexam
EC-Council

312-50V11 · Question #691

Take a look at the following attack on a Web Server using obstructed URL: How would you protect from these attacks?

The correct answer is B. Create rules in IDS to alert on strange Unicode requests. Obfuscated URL attacks use Unicode or hex encoding to bypass signature-based filters; deploying IDS rules to detect anomalous Unicode patterns in requests is the recommended detection control.

Hacking Web Servers

Question

Take a look at the following attack on a Web Server using obstructed URL:

How would you protect from these attacks?

Exhibit

312-50V11 question #691 exhibit

Options

  • AConfigure the Web Server to deny requests involving "hex encoded" characters
  • BCreate rules in IDS to alert on strange Unicode requests
  • CUse SSL authentication on Web Servers
  • DEnable Active Scripts Detection at the firewall and routers

How the community answered

(28 responses)
  • A
    4% (1)
  • B
    79% (22)
  • C
    7% (2)
  • D
    11% (3)

Why each option

Obfuscated URL attacks use Unicode or hex encoding to bypass signature-based filters; deploying IDS rules to detect anomalous Unicode patterns in requests is the recommended detection control.

AConfigure the Web Server to deny requests involving "hex encoded" characters

Blocking all hex-encoded characters at the web server level would break legitimate functionality, as percent-encoding is a required part of the URI specification for many valid requests.

BCreate rules in IDS to alert on strange Unicode requestsCorrect

Creating IDS rules to alert on strange or anomalous Unicode requests is the appropriate control because obfuscated URL attacks rely on encoding sequences (e.g., %u002f, double-encoding) to evade static pattern filters on the server. An IDS inspects decoded request payloads and can flag suspicious encoding patterns before or after they reach the web server, providing detection coverage that the web server itself may miss.

CUse SSL authentication on Web Servers

SSL/TLS authentication encrypts the channel and verifies identity but performs no inspection of URL encoding patterns or malicious payload content.

DEnable Active Scripts Detection at the firewall and routers

Active Scripts Detection targets scripting-based attack vectors and does not specifically identify or block Unicode or hex URL obfuscation techniques.

Concept tested: IDS detection of Unicode URL obfuscation attacks

Source: https://owasp.org/www-community/attacks/Unicode_Encoding

Topics

#URL obfuscation#hex encoding#web server attack#IDS rules

Community Discussion

No community discussion yet for this question.

Full 312-50V11 Practice