Weaponising Unicode for Fun and Profit | by Eugene Lim | CSG @ GovTech


Plus a tool and tips for defenders.

From ASCII to Unicode

Example #1: Punycode Attacks

Example #2: Case Mapping Collisions

> "ß".toUpperCase() == "SS"
> true
var resetUser = database.findUserWithEmail(attackerInput.lowercase())
if resetUser != null: sendResetEmail(resetUser.resetToken(), attackerInput)
  1. An attacker enters an email address with Unicode characters that when lowercased, would match the victim’s email address. GitHub lowercased any user input when searching the database for a matching email — a reasonable step to allow for consistency and uniqueness checks.
  2. Once GitHub found a user that matched the lowercase email, it sent a password reset token email to the original, non-lowercased email address entered by the attacker. Since the attacker has access to this email, the attacker receives the victim user’s reset account link, allowing them to take over the account.

Example #3: Cross-Site Scripting

document.location = getQueryParam('redirect').toUpperCase();
Unicollider



Source link