IT Security Stack Exchange
IT Security Stack Exchange

Questions tagged [unicode]

39 questions
59
votes
14 answers

Is it a good idea to use the entire Unicode range to generate a random password rather than limited ranges?

I know for a fact that some sites/apps with low security restrict passwords to alphanumeric characters only, and some allow a slightly broader ASCII range. Some sites/apps also support Unicode. Passwords are usually meant to be typable on any…
person of entropy
  • 589
  • 1
  • 4
  • 5
28
votes
2 answers

List of visually similar characters, for detecting spoofing and social engineering attacks

I'm trying to detect homograph attacks and other attacks where an attacker uses a spoof domain name that looks visually similar to a trusted domain name (e.g., bankofthevvest.com instead of bankofthewest.com). Is there a dictionary or database of…
D.W.
  • 98,420
  • 30
  • 267
  • 572
23
votes
3 answers

Browser is accepting italic/bold Unicode as part of SPAM email's URL

This is truly crazy. I received a SPAM email in which there is a URL crafted from apparent Unicode characters that surprisingly exist for italic/bold letters, which when I reported it to Google's spam collector using Thunderbird's Report Spam Email…
asker13
  • 341
  • 2
  • 6
22
votes
4 answers

How did Anonymous use UTF-16 ASCII to fool PHP escaping?

A few months ago, Anonymous took down a child pornography site using SQL-injection. I read in this article that Anonymous claimed that "the server was using hardened PHP with escaping," but they were able to "bypass it with with UTF-16 ASCII…
Nate Glenn
  • 333
  • 1
  • 2
  • 6
18
votes
1 answer

Why does Directory traversal attack %C0%AF work?

Introduction: I am trying to learn the basics of Directory Traversal. Question: While trying to understand the 2-Byte Unicode conversion of characters, I came across this_SANS ARTICLE that explains Directory Traversal vulnerability. It states that /…
DA12C 917
  • 318
  • 1
  • 2
  • 10
16
votes
3 answers

How to defend against homograph attacks?

Referring to this Wikipedia example of an homograph attack, the URL of Wikipedia had the Latin characters A and E replaced with a similar Cyrillic copy (wikipediа.org). These characters look so similar, how can they be differentiated?
toffee.beanns
  • 291
  • 2
  • 6
13
votes
3 answers

Is there a way to bypass Django's XSS escaping with "unicode"?

Django (the Python web framework) escapes output to prevent XSS (Cross Site Scripting) attacks. It replaces ', ", <, >, & with their HTML safe versions. However this presentation on slide share, (specifically slide № 13), says: Problems Any other…
Amandasaurus
  • 231
  • 1
  • 2
  • 5
12
votes
5 answers

Should a website limit characters that can be entered in its fields?

I got into a (somewhat heated) discussion with my colleague today about what characters our application should accept. This was prompted by the discovery that you can enter anything in the search box and the application will dutifully perform a…
Vilx-
  • 998
  • 2
  • 7
  • 15
11
votes
3 answers

White list or black list sanitation for international input?

There seem to be so many ways to create nefarious input that white-listing what input is good usually feels like the safer, simpler option. For instance, one can fairly easily craft a white list regex that includes good things [a-zA-Z0-9], but…
jaketrent
  • 213
  • 2
  • 6
11
votes
2 answers

PHP: if charset mismatches (htmlentities UTF-8) viewed by client as ISO-8859-1 (or vice versa)

Short Question: Question: Could any security vulnerabilities arise if a server runs htmlentities as UTF-8 but the client views the results as ISO-8859-1? Assumption: No vulnerabilities exist when one consistent charset is used Detailed…
dajon
  • 211
  • 2
  • 5
10
votes
2 answers

Does CVE-2021-42694 affect only compiled code?

A new critical issue was discovered in the character definitions of the Unicode Specification through 14.0. Does it only affect code compiled from sources with disallowed unicode characters? RHEL describes that it is relevant only to GCC. Is it only…
Michael
  • 1,457
  • 1
  • 18
  • 36
9
votes
2 answers

Is it okay to normalize unicode passwords with NFC/NFD?

I am currently designing a login for a web service. I will use a PBKDF2 implementation for hashing the passwords. However, I intend to allow unicode for passwords, as I will have international users, which might want to use, for example, cyrillic…
Jonas Schäfer
  • 189
  • 13
9
votes
3 answers

Is there a dictionary of visibly similar Unicode characters for Spam processing?

I have spam that looks like this: мy вυddy'ѕ мoм мαĸeѕ $74/нoυr oɴ тнe lαpтop. ѕнe нαѕ вeeɴ lαιd oғғ ғor ѕeveɴ мoɴтнѕ вυт lαѕт мoɴтн нer pαy cнecĸ wαѕ $19420 jυѕт worĸιɴɢ oɴ тнe lαpтop ғor α ғew нoυrѕ. нere'ѕ тнe ѕιтe тo reαd мore …
makerofthings7
  • 50,090
  • 54
  • 250
  • 536
6
votes
2 answers

What exploit types do I need to protect against in PHP?

I recently learned that it is common for people to attempt SQL injections using the HTTP referrer in PHP. What other inputs do I need to protect against? I am currently "cleaning up" incoming $_GET[] and $_POST[], and now the server's referrer. I…
Frank E
  • 103
  • 1
  • 1
  • 3
6
votes
1 answer

Generating unicode javascript shellcode

I'm trying to generate shellcode to modify this exploit: https://www.exploit-db.com/exploits/24947/ It says in the basic exploit: {'$where':'shellcode=unescape("METASPLOIT JS GENERATED SHELLCODE"); And I'm not really sure what it means. Looking at…
user134167
  • 141
  • 1
  • 3
  • 8
1
2 3