Unicode Transformations: Finding Elusive Vulnerabilities presented at OWASP Appsec 2009

by Chris Weber (Casaba Security),

Tags: Exploitation

URL : http://www.owasp.org/index.php/Unicode_Transformations:_Finding_Elusive_Vulnerabilities

Summary : The complex landscape of Unicode provides many angles for exploiting software and end users. We've known about some of these for years, we've seen buffer overflows exploited because of faulty Unicode handling and we've seen homograph attacks in URL's. However, the real mysteries remain latent, unapparent to most software developers and even to the security testing community. This talk will raise awareness around interesting attack vectors and new areas of research into Unicode, as well as open people's eyes to the modern Visual Spoofing attacks of today. This talk will include demonstrations of several uncommon vulnerabilities/attack vectors, and will also include a tool release to assist in finding these issues. A separate Spoof-detection component will also be released to demonstrate how we can defend users against Visual Spoofing attacks.