The vulnerability of Unicode normalization in hostnames can be exploited to steal tokens and compromise security. Best practices include using ASCII for all hostname comparisons, using STD three ASCII Rules flag for conversions, and writing wrapper functions to prevent vulnerabilities in platform code.
- Unicode normalization in hostnames can be exploited to steal tokens and compromise security
- Software should make all decisions about hostnames using ASCII
- Use STD three ASCII Rules flag for conversions
- Write wrapper functions to prevent vulnerabilities in platform code
The vulnerability was exploited in Office 365 by using a redirect to steal tokens. The attack was made easier by the use of open redirects. The vulnerability can also be used against email and other network protocols that use hostnames. Best practices include testing software for Unicode normalization vulnerabilities and only comparing hostnames as ASCII.
This talk demonstrates new exploit techniques that leverage Unicode normalization behavior to bypass URL security filters and, in some cases, allow one domain to impersonate another. Where previous attacks against internationalized domain names relied on visual spoofing, these attacks fool software with URL strings that are parsed as belonging to one hostname but resolved as belonging to a different host name.The vulnerabilities that enable these attacks are widespread, because they result from practical compromises in implementing IDNA standards. The author of this talk identified several new CVE's which will be discussed, including vulnerabilities in Edge/IE, .NET, Python, Java, Office 365, and Gmail. A more general exploit pattern against OAuth is also explained.Although some platform-level problems have already been corrected, many of the fixes for these vulnerabilities will need to be made at an application level. It is likely that there are still many software packages with Unicode normalization vulnerabilities of this type. This talk discusses methods to test for these vulnerabilities as well as coding and design best practices for preventing them.