Agenda
- WhoAmI
- ASCII and ISO-8859
- Unicode
- Unicode encodings
- Security implications 101
- Real world examples
- Summary + QA
ASCII
- American Standard Code for Information Interchange
- Established in 1963
- 7-Bit character set
- Only 128 characters
- 0000000 โ 1111111
- A: (65)โโ = (41)โโ = (1000001)โ
- a: (97)โโ = (61)โโ = (1100001)โ
ISO-8859-?
- ASCII compatible ๐
- 8-Bit character set
- 256 characters
- 00000000 โ 11111111
- 8859-2: (Central Europe)
Unicode
- Since 1991
- MultiByte character set
- Fully ASCII and ISO-8859 compatible ๐
- Different encodings (UTF-8, UTF-16, UTF-32, EBCDIC, โฆ)
Unicode
- U+0000 โ U+10FFFF
- U+0000 โ U+007F: ASCII
- U+0080 โ U+00FF: ISO
- U+0000 โ U+FFFF (BMP: Basic Multilingual Plane) = 65536 characters
- U+010000 โ U+10FFFF (Astral Planes) = Over a million
Security Implications - Length of UTF8 String
size_t length = measure(str1) + measure(str2) + 1;
char *concat = malloc(sizeof(char) * length);
if(concat == NULL) { // error }
snprintf(concat, length, "%s%s", str1, str2);
int measure(char *string) {
// allocate enough memory to hold the wide string
size_t needed = mbstowcs(NULL, string, 0) + 1;
wchar_t *wcstring = malloc(needed * sizeof *wcstring);
if (!wcstring) return -1;
// change encodings
if (mbstowcs(wcstring, string, needed) == (size_t)-1) return -2;
// measure width
int width = wcswidth(wcstring, needed);
free(wcstring);
return width;
}
Security Implications - JavaScript Compare
Security Implications - JavaScript Compare
Security Implications - JavaScript Compare
Security Implications - JavaScript RegEx
Security Implications - JavaScript RegEx
Security Implications - JavaScript RegEx
Security Implications - MySQL vs. UTF-8
Security Implications - MySQL vs. UTF-8
Security Implications - MySQL vs. UTF-8
Security Implications - MySQL vs. UTF-8
Abusing Unicode to attack a victim
Anything suspicious?
Anything suspicious?
IDN Domains
IDN Domains and Mailing
IDN Domains โ Find good ones
IDN $$$
Left or right?
Left or right?
![]()
Howto:ruby -e 'File.rename("backdoor_ppt.exe", "resume\xe2\x80\xaetpp.exe")'
RTLO Snapchat
![]()
RTLO $250
![]()
RTLO Go Go Go and hunt ... (from 2017)
![]()
2019 and still sth. to care about?
![]()
Crashing every iOS and OS X device
- Even Facebook implemented filter withtin Messenger
![]()
Frontend ๐ Backend
![]()
Frontend ๐ Backend
![]()
Spotify account hijacking
![]()
Spotify account hijacking
![]()
1. User: แดฎแดตแดณแดฎแดตแดฟแดฐ triggers forgot password
1. Forgot password:
>>> canonical_username(u'\u1d2e\u1d35\u1d33\u1d2e\u1d35\u1d3f\u1d30')
u'BIGBIRD'
2. Click on password reset Link in Mail:
>>> canonical_username(canonical_username(u'\u1d2e\u1d35\u1d33\u1d2e\u1d35\u1d3f\u1d30'))
u'bigbird'
Phabricator Bypass
![]()
Phabricator Bypass
![]()
Phabricator Bypass
![]()
PILE OF POO
![]()
Summary
For developer:
- Verify that methods, functions, frameworks can handle Unicode
- Input validation should also handle Unicode characters
- Verify that all system and interconnection can handle Unicode
For Hunters:
- Go and inject ๐ฉ
- Automate it / Implement it in tools
Acknowledgment
- Mathias Bynens @mathias
- @FakeUnicode
Thanks for your time :)