Normalization and Unicode attacks (password resets)
- Force the application to send the reset link to an attacker-controlled email address:
- Use Unicode characters (e.g.,
\u0131,\u0430,\u0410,d,\u00eb) in the:- local part of the email address
- domain part of the email address
- Use the ASCII equivalent or the punycode address
- Consider race conditions: https://portswigger.net/research/smashing-the-state-machine#single-endpoint
- Use Unicode characters (e.g.,
- Force the application to send a password reset link with a wrong target domain:
- Trigger the password reset function with a different
Hostheader (only works if the server serves the website for arbitrary vhosts) - Use the
X-Forwarded-Hostheader to check if you can override theHostheader: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Forwarded-Host
- Trigger the password reset function with a different
More examples: https://youtu.be/WCuPq-Aw714?si=w1mT-rwqIpPuRNCB&t=1070
Example domains:
- sysliftërs.com
- syslıfters.com