Security checks bypass due to a Unicode transformation

If ever a unicode tranformation is performed after some security checks or logical validation, the latter could be bypassed due to a potential Unicode characters collision. The validation of concern are any character escaping, any regex validation or any string verification.

Security checks bypassed

Perform a Unicode normalization before the logical validation.

The following example showcases the bypass of all checks performed by flask.escape() due to a post-unicode normalization.

For instance: the character U+FE64 () is not filtered-out by the flask escape function. But due to the Unicode normalization, the character is transformed and would become U+003C ( < ).
  • Research study: Unicode vulnerabilities that could bYte you and Unicode pentest cheatsheet.