Custom Special Character Injection
Thank you for visiting OWASP.org. We recently migrated our community to a new web platform and regretably the content for this page needed to be programmatically ported from its previous wiki page. There’s still some work to be done.
This is an example of a Project or Chapter Page.
Contributor(s): Weilin Zhong, KristenS, Alan Jex, kingthorin
Description
The software does not properly filter or quote special characters or reserved words that are used in a custom or proprietary language or representation that is used by the product. That allows attackers to modify the syntax, content, or commands before they are processed by the end system.
Examples
Example 1
A simple example is an application which executes almost everything
which is passed to it from the current terminal by the user without
sanitizing and blocking user input. If the application doesn’t implement
appropriate signals handling, we may interrupt or suspend program
execution by sending respectively Ctrl+C (^C) or Ctrl+Z (^Z)
combinations. These combinations are sending signals to the application.
In the first case it’s SIGINT and in the second it’s SIGSTOP signal.
Example 2
The classic example, often used by the IRC warriors/bandits, was
disconnecting modem users by sending to them a special sequence of
characters. Sending via any protocol (IP) *+++ATH0* sequence caused
some modems to interpret this sequence as a disconnect command. So all
that had to be done was to send the sequence on an IRC channel, which in
effect forced vulnerable modems to disconnect.