1. Home
  2. CWE Database
  3. CWE-177
Variant · Low-Medium

CWE-177: Improper Handling of URL Encoding (Hex Encoding)

The product does not properly handle when all or part of an input has been URL encoded.

CWE-177 · Variant Level ·19 CVEs ·3 Mitigations

Description

The product does not properly handle when all or part of an input has been URL encoded.

Potential Impact

Integrity

Unexpected State

Mitigations & Prevention

Architecture and Design

Avoid making decisions based on names of resources (e.g. files) if those resources can have alternate names.

Implementation

Assume all input is malicious. Use an "accept known good" input validation strategy, i.e., use a list of acceptable inputs that strictly conform to specifications. Reject any input that does not strictly conform to specifications, or transform it into something that does. When performing input validation, consider all potentially relevant properties, including length, type of input, the full range of acceptable values, missing or extra inputs, syntax, consistency across relat

Implementation

Inputs should be decoded and canonicalized to the application's current internal representation before being validated (CWE-180). Make sure that the application does not decode the same input twice (CWE-174). Such errors could be used to bypass allowlist validation schemes by introducing dangerous inputs after they have been checked.

Real-World CVE Examples

CVE IDDescription
CVE-2000-0900Hex-encoded path traversal variants - "%2e%2e", "%2e%2e%2f", "%5c%2e%2e"
CVE-2005-2256Hex-encoded path traversal variants - "%2e%2e", "%2e%2e%2f", "%5c%2e%2e"
CVE-2004-2121Hex-encoded path traversal variants - "%2e%2e", "%2e%2e%2f", "%5c%2e%2e"
CVE-2004-0280"%20" (encoded space)
CVE-2003-0424"%20" (encoded space)
CVE-2001-0693"%20" (encoded space)
CVE-2001-0778"%20" (encoded space)
CVE-2002-1831Crash via hex-encoded space "%20".
CVE-2000-0671"%00" (encoded null)
CVE-2004-0189"%00" (encoded null)
CVE-2002-1291"%00" (encoded null)
CVE-2002-1031"%00" (encoded null)
CVE-2001-1140"%00" (encoded null)
CVE-2004-0760"%00" (encoded null)
CVE-2002-1025"%00" (encoded null)

Showing 15 of 19 observed examples.

CWE-172: Encoding Error

The product does not properly encode or decode the data, resulting in unexpected values.

Taxonomy Mappings

  • PLOVER: — URL Encoding (Hex Encoding)

Frequently Asked Questions

What is CWE-177?

CWE-177 (Improper Handling of URL Encoding (Hex Encoding)) is a software weakness identified by MITRE's Common Weakness Enumeration. It is classified as a Variant-level weakness. The product does not properly handle when all or part of an input has been URL encoded.

How can CWE-177 be exploited?

Attackers can exploit CWE-177 (Improper Handling of URL Encoding (Hex Encoding)) to unexpected state. This weakness is typically introduced during the Implementation phase of software development.

How do I prevent CWE-177?

Key mitigations include: Avoid making decisions based on names of resources (e.g. files) if those resources can have alternate names.

What is the severity of CWE-177?

CWE-177 is classified as a Variant-level weakness (Low-Medium abstraction). It has been observed in 19 real-world CVEs.