Homograph attack. URLs displayed in unicode in bug reports and on external link warning page

From Hackipedia
Jump to: navigation, search
Hackerone #29491
Target: Hackerone
Target Module:
Type: Best Practice
Payload:
Original: Link
CVE:
Archive Screenshot

Hyperlinks on reports to external sites use a routing page to warn users they are about to leave Hackerone. Links could be created using homograph characters that lead to malicious sites, misleading report readers who followed the links.

Hackerone fixed the issue by changing the routing page to display the URL in Punycode instead of the misleading Unicode.

How To Perform

  1. 1) Look for application services that allow you to alter the URL (example.com/username, user.example.com, etc)
  2. 2) Create attempt to create spoof accounts using homograph letters
    1. Examples
      1. а, с, е, о, р, х and у
      2. АВСЕНІЈКМОРЅТХ
  3. 3) Create links using homograph letters