.png)
1 year ago
59 BOOK THIS SPACE FOR AD
ARTICLE ADHello everyone,
I found a flaw that gave me access to user accounts by using Unicode normalization during my security analysis of the web application.
A system security vulnerability that allows attackers to perform an account takeover attack.The problem comes as a result of the system’s absence of sufficient Unicode normalization tests.Attackers can take advantage of this flaw to circumvent security measures and obtain unauthorized access to user accounts.
What is a Unicode character?
Unicode is a universal character set, or a standard that defines all of the characters required to write the majority of live languages used on computers in one location.
It aspires to be, and to a considerable extent already is, a superset of all other encoded character sets.
Vulnerability Details:
The flaw lies in the system’s Unicode normalization procedure.
Unicode normalization is the process of standardizing distinct representations of the same character in order to eliminate problems such as numerous character encodings for the same character.
Because the system does not execute sufficient Unicode normalization checks on user inputs, attackers can take advantage of this flaw.
Attackers can enter a specially constructed Unicode string that resembles the legal string but contains different Unicode characters.
The system is unable to differentiate between the two strings, allowing the attacker to get around security and access the victim’s account.
2. Log in to the account using the email address as normal.
3. Using a programming language that supports Unicode normalization (such as Python), perform a Unicode normalization on the email address using a normalization form that differs from the form used by the website. For example, use the NFKD normalization form instead of the NFC normalization form.
4. Use the normalized email address to log in to the account again. This time, the login attempt should be successful even though the email address has been modified by the normalization process.
5. If the login attempt is successful, the attacker has successfully taken over the user’s account.
6. The attacker can now access the victim’s personal information, payment details, and other sensitive data.
Create an account with an email address containing Unicode charactersemail = “tést@example.com” password = “password” data = {“email”: email, “password”: password} response = requests.post(“https://example.com/api/register", json=data)
2. Perform a Unicode normalization on the email address
normalized_email = unicodedata.normalize(‘NFKD’, email)
import unicodedataemail = "tést@example.com"
# Normalize the email address using NFKD
normalized_email = unicodedata.normalize('NFKD', email)
print(normalized_email)
This example normalizes the email address using the NFKD option and the unicodedata.normalize method.All Unicode characters will be changed to their corresponding deconstructed forms in the resultant normalized email address.This can make sure that various depictions of the same character are recognized as being the same, which can be helpful for activities like comparing strings or looking for patterns in text.
3. Log in with the normalized email address
data = {“email”: normalized_email, “password”: password} response = requests.post(“https://example.com/api/login", json=data)
4. The system authenticates the account successfully
assert response.status_code == 200
Recommendation:
All Unicode characters entered by users should be verified by the website, and those that are forbidden should be rejected.
The problem can be reduced by implementing a whitelist of permitted Unicode characters and normalization forms.
Adding two-factor authentication and keeping an eye out for unusual login behavior can also stop illegal access to user accounts.
Bengali (Bangladesh) · 
English (United States) ·