Skip to main content

Use consistent encoding


System components must use the same encodings and parsers.


System components use structured messages to communicate with other components. When these messages include input from untrusted sources and this input is not properly escaped, they become prone to the insertion of malicious commands. A part of the escaping process can be done by encoding the output messages. However, all components must use consistent encoding in order to prevent attacks that benefit from the presence of different parsing behaviors, e.g., Server-Side Request Forgery (SSRF) and Remote File Inclusion (RFI) attacks.


  • CAPEC-33: HTTP Request Smuggling: HTTP Request Smuggling results from the discrepancies in parsing HTTP requests between HTTP entities such as web caching proxies or application firewalls. Entities such as web servers, web caching proxies, application firewalls or simple proxies often parse HTTP requests in slightly different ways.

  • CAPEC-43: Exploiting Multiple Input Interpretation Layers: An attacker supplies the target software with input data that contains sequences of special characters designed to bypass input validation logic. This exploit relies on the target making multiples passes over the input data and processing a "layer" of special characters with each pass.

  • CAPEC-153: Input Data Manipulation: An attacker exploits a weakness in input validation by controlling the format, structure, and composition of data to an input-processing interface. By supplying input of a non-standard or unexpected form an attacker can adversely impact the security of the target.

  • CWE-116: Improper Encoding or Escaping of Output: The product does not validate or incorrectly validates input that can affect the control flow or data flow of a program.

  • CWE-444: HTTP Request Smuggling: When malformed or abnormal HTTP requests are interpreted by one or more entities in the data flow between the user and the web server, such as a proxy or firewall, they can be interpreted inconsistently, allowing the attacker to "smuggle" a request to one device without the other device being aware of it.

  • OWASP-ASVS v4.0.1 V13.1: Generic Web Service Security Verification Requirements.(13.1.1): Verify that all application components use the same encodings and parsers to avoid parsing attacks that exploit different URI or file parsing behavior that could be used in SSRF and RFI attacks.