HostSplit: Exploitable Antipatterns in Unicode Normalization

HostSplit: Exploitable Antipatterns in Unicode Normalization

This talk demonstrates new exploit techniques that leverage Unicode normalization behavior to bypass URL security filters and, in some cases, allow one domain to impersonate another. Where previous attacks against internationalized domain names relied on visual spoofing, these attacks fool software with URL strings that are parsed as belonging to one hostname but resolved as belonging to a different host name.

The vulnerabilities that enable these attacks are widespread, because they result from practical compromises in implementing IDNA standards. The author of this talk identified several new CVE's which will be discussed, including vulnerabilities in Edge/IE, .NET, Python, Java, Office 365, and Gmail. A more general exploit pattern against OAuth is also explained.

Although some platform-level problems have already been corrected, many of the fixes for these vulnerabilities will need to be made at an application level. It is likely that there are still many software packages with Unicode normalization vulnerabilities of this type.

This talk discusses methods to test for these vulnerabilities as well as coding and design best practices for preventing them.

Presented by