Unicode Vulnerabilities That Could Byte You

Explore Unicode vulnerabilities and their impact on modern applications in this 42-minute conference talk from NorthSec 2020. Delve into the security implications of encoding conversion, normalization, and character transformation. Learn about the HostSplit and HostBond attacks, which exploit minor character conversions to trigger open redirects and Server-Side Request Forgery (SSRF). Discover how uppercase and lowercase transformations can introduce vulnerabilities and how encoding can be used to bypass security controls like Web Application Firewalls. Examine the risks associated with Punycode representation in domain names and its potential for visual confusion. Gain a comprehensive understanding of Unicode-related security concerns, including patched issues and ongoing risks. Benefit from the expertise of Philippe Arteau, a security researcher at GoSecure, as he shares his insights on Web application security, static analysis tools, and proxy tool plugins.

Intro
Presentation Outline
Code points
Encoding
Security list
Example
General recommendations
Case modification
Critical signature
TLS validation
Safe function
Encoding bypass
XSS bypass
Does this work in certificates