ch0ic3/PayloadsAllTheThings
1
0
Fork 0
mirror of https://github.com/swisskyrepo/PayloadsAllTheThings.git synced 2024-12-19 19:06:12 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity

Merge pull request #611 from DotDotSlashRepo/master

Browse Source 
Updated Account takeover due to unicode normalization issue
This commit is contained in:
Swissky 2023-01-04 17:21:55 +01:00 committed by GitHub
commit 095024f960
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
1 changed files with 5 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

5
Account Takeover/README.md
View File

@ -122,9 +122,14 @@ See: [CVE-2020-7245](https://nvd.nist.gov/vuln/detail/CVE-2020-7245)
### Account takeover due to unicode normalization issue ### Account takeover due to unicode normalization issue
When processing user input involving unicode for case mapping or normalisation, unexcepted behavior can occur.
- Victim account: `demo@gmail.com` - Victim account: `demo@gmail.com`
- Attacker account: `demⓞ@gmail.com` - Attacker account: `demⓞ@gmail.com`
[Unisub - is a tool that can suggest potential unicode characters that may be converted to a given character](https://github.com/tomnomnom/hacks/tree/master/unisub).
[Unicode pentester cheatsheet](https://gosecure.github.io/unicode-pentester-cheatsheet/) can be used to find list of suitable unicode characters based on platform.
## Account Takeover Via Cross Site Scripting ## Account Takeover Via Cross Site Scripting