Questions tagged [unicode]
39 questions
59
votes
14 answers
Is it a good idea to use the entire Unicode range to generate a random password rather than limited ranges?
I know for a fact that some sites/apps with low security restrict passwords to alphanumeric characters only, and some allow a slightly broader ASCII range. Some sites/apps also support Unicode.
Passwords are usually meant to be typable on any…
person of entropy
- 589
- 1
- 4
- 5
28
votes
2 answers
List of visually similar characters, for detecting spoofing and social engineering attacks
I'm trying to detect homograph attacks and other attacks where an attacker uses a spoof domain name that looks visually similar to a trusted domain name (e.g., bankofthevvest.com instead of bankofthewest.com).
Is there a dictionary or database of…
D.W.
- 98,420
- 30
- 267
- 572
23
votes
3 answers
Browser is accepting italic/bold Unicode as part of SPAM email's URL
This is truly crazy. I received a SPAM email in which there is a URL crafted from apparent Unicode characters that surprisingly exist for italic/bold letters, which when I reported it to Google's spam collector using Thunderbird's Report Spam Email…
asker13
- 341
- 2
- 6
22
votes
4 answers
How did Anonymous use UTF-16 ASCII to fool PHP escaping?
A few months ago, Anonymous took down a child pornography site using SQL-injection. I read in this article that Anonymous claimed that "the server was using hardened PHP with escaping," but they were able to "bypass it with with UTF-16 ASCII…
Nate Glenn
- 333
- 1
- 2
- 6
18
votes
1 answer
Why does Directory traversal attack %C0%AF work?
Introduction: I am trying to learn the basics of Directory Traversal.
Question: While trying to understand the 2-Byte Unicode conversion of characters, I came across this_SANS ARTICLE that explains Directory Traversal vulnerability. It states that /…
DA12C 917
- 318
- 1
- 2
- 10
16
votes
3 answers
How to defend against homograph attacks?
Referring to this Wikipedia example of an homograph attack, the URL of Wikipedia had the Latin characters A and E replaced with a similar Cyrillic copy (wikipediа.org). These characters look so similar, how can they be differentiated?
toffee.beanns
- 291
- 2
- 6
13
votes
3 answers
Is there a way to bypass Django's XSS escaping with "unicode"?
Django (the Python web framework) escapes output to prevent XSS (Cross Site Scripting) attacks. It replaces ', ", <, >, & with their HTML safe versions.
However this presentation on slide share, (specifically slide № 13), says:
Problems
Any other…
Amandasaurus
- 231
- 1
- 2
- 5
12
votes
5 answers
Should a website limit characters that can be entered in its fields?
I got into a (somewhat heated) discussion with my colleague today about what characters our application should accept. This was prompted by the discovery that you can enter anything in the search box and the application will dutifully perform a…
Vilx-
- 998
- 2
- 7
- 15
11
votes
3 answers
White list or black list sanitation for international input?
There seem to be so many ways to create nefarious input that white-listing what input is good usually feels like the safer, simpler option.
For instance, one can fairly easily craft a white list regex that includes good things [a-zA-Z0-9], but…
jaketrent
- 213
- 2
- 6
11
votes
2 answers
PHP: if charset mismatches (htmlentities UTF-8) viewed by client as ISO-8859-1 (or vice versa)
Short Question:
Question: Could any security vulnerabilities arise if a server runs htmlentities as UTF-8 but the client views the results as ISO-8859-1?
Assumption: No vulnerabilities exist when one consistent charset is used
Detailed…
dajon
- 211
- 2
- 5
10
votes
2 answers
Does CVE-2021-42694 affect only compiled code?
A new critical issue was discovered in the character definitions of the Unicode Specification through 14.0.
Does it only affect code compiled from sources with disallowed unicode characters?
RHEL describes that it is relevant only to GCC.
Is it only…
Michael
- 1,457
- 1
- 18
- 36
9
votes
2 answers
Is it okay to normalize unicode passwords with NFC/NFD?
I am currently designing a login for a web service. I will use a PBKDF2 implementation for hashing the passwords.
However, I intend to allow unicode for passwords, as I will have international users, which might want to use, for example, cyrillic…
Jonas Schäfer
- 189
- 13
9
votes
3 answers
Is there a dictionary of visibly similar Unicode characters for Spam processing?
I have spam that looks like this:
мy вυddy'ѕ мoм мαĸeѕ $74/нoυr oɴ тнe lαpтop. ѕнe нαѕ вeeɴ lαιd oғғ ғor
ѕeveɴ мoɴтнѕ вυт lαѕт мoɴтн нer pαy cнecĸ wαѕ $19420 jυѕт worĸιɴɢ oɴ
тнe lαpтop ғor α ғew нoυrѕ. нere'ѕ тнe ѕιтe тo reαd мore
…
makerofthings7
- 50,090
- 54
- 250
- 536
6
votes
2 answers
What exploit types do I need to protect against in PHP?
I recently learned that it is common for people to attempt SQL injections using the HTTP referrer in PHP. What other inputs do I need to protect against?
I am currently "cleaning up" incoming $_GET[] and $_POST[], and now the server's referrer. I…
Frank E
- 103
- 1
- 1
- 3
6
votes
1 answer
Generating unicode javascript shellcode
I'm trying to generate shellcode to modify this exploit:
https://www.exploit-db.com/exploits/24947/
It says in the basic exploit:
{'$where':'shellcode=unescape("METASPLOIT JS GENERATED SHELLCODE");
And I'm not really sure what it means. Looking at…
user134167
- 141
- 1
- 3
- 8