Web-Based Canonicalization Remedies

Like all potential canonicalization vulnerabilities, the first defense is to not make decisions based on the name of a resource if it's possible to represent the resource name in more than one way.

Restrict What Is Valid Input

The next best remedy is to restrict what is considered a valid user request. You created the resources being protected, and so you can define the valid ways to access that data and reject all other requests. Once again, validity is tested using regular expressions. I'll say it just one more time: always determine what is valid input and reject all other input. It's safer to have a client complain that something doesn't work because of an overzealous regular expression than have the service not work because it's been hacked!

Be Careful When Dealing with UTF-8

If you must manipulate UTF-8 characters, you need to reduce the data to its canonical form by using the MultiByteToWideChar function in Windows. The following sample code shows how you can call this function with various valid and invalid UTF-8 characters. You can find the complete code listing in the companion content in the folder Secureco2\Chapter11\UTF8. Also note that if you want to create UTF-8 characters, you can use WideCharToMultiByte by setting the code page to CP_UTF8.

void FromUTF8(LPBYTE pUTF8, DWORD cbUTF8) { WCHAR wszResult[MAX_CHAR+1]; DWORD dwResult = MAX_CHAR; int iRes = MultiByteToWideChar(CP_UTF8, 0, (LPCSTR)pUTF8, cbUTF8, wszResult, dwResult); if (iRes == 0) { DWORD dwErr = GetLastError(); printf("MultiByteToWideChar() failed - > %d\n", dwErr); } else { printf("MultiByteToWideChar() returned "  "%S (%d) wide characters\n", wszResult, iRes); } } void main() { //Get Unicode for 0x5c; should be '\'. BYTE pUTF8_1[] = {0x5C}; DWORD cbUTF8_1 = sizeof pUTF8_1; FromUTF8(pUTF8_1, cbUTF8_1); //Get Unicode for 0xC0 0xAF. //Should fail because this is //an overlong '/'. BYTE pUTF8_2[] = {0xC0, 0xAF}; DWORD cbUTF8_2 = sizeof pUTF8_2; FromUTF8(pUTF8_2, cbUTF8_2); //Get Unicode for 0xC2 0xA9; should be //a ' ' symbol. BYTE pUTF8_3[] = {0xC2, 0xA9}; DWORD cbUTF8_3 = sizeof pUTF8_3; FromUTF8(pUTF8_3, cbUTF8_3); }

ISAPIs Between a Rock and a Hard Place

ISAPI applications and ISAPI filters are probably the most vulnerable technologies, because they are often written in relatively low-level C or C++, they handle Web requests and response, and they manipulate files. If you are writing ISAPI applications for IIS6 you should use the SCRIPT_TRANSLATED server variable, as it will return a correctly canonicalized filename based on the URL to your code, rather than you performing the work and probably getting it wrong.