Homograph attack. URLs displayed in unicode in bug reports and on external link warning page
Hyperlinks on reports to external sites use a routing page to warn users they are about to leave Hackerone. Links could be created using homograph characters that lead to malicious sites, misleading report readers who followed the links.
Hackerone fixed the issue by changing the routing page to display the URL in Punycode instead of the misleading Unicode.
How To Perform
- 1) Look for application services that allow you to alter the URL (example.com/username, user.example.com, etc)
- 2) Create attempt to create spoof accounts using homograph letters
- а, с, е, о, р, х and у
- 3) Create links using homograph letters