Collaborate Disseminate
I am practicing some malware detection basics and it has caught my attention that the Cyrillic alphabet is not detected by practically any traditional string detection tool.
Source Code
while (strcmp(password, user_input) != 0)
{
p… Continue reading Floss and many tools not detecting cyrillic strings in binary
A new critical issue was discovered in the character definitions of the Unicode Specification through 14.0.
Does it only affect code compiled from sources with disallowed unicode characters?
RHEL describes that it is relevant only to GCC.
… Continue reading Does CVE-2021-42694 affect only compiled code?
Lately, the security community has been asking interesting questions around surprising side effects of raw Unicode formatting characters in source code. That got me thinking about input validation and display in web apps. Normally, I rely … Continue reading What are best practices for handling user Unicode in a web application?
The job of a dumb terminal was originally to be a continuation of that performed by a paper teletype, to send text from its keyboard and display any it receives …read more Continue reading This Arduino Terminal Does All The Characters
I am pentesting a web application. It makes a backend call to another application, and I am trying to hijack that call.
I have gained control over the URL path, query parameters, and fragment that is being sent (e.g. if the URL is https://… Continue reading Is there any way to get a unicode character that has a byte of 23?
Most readers will have at least some passing familiarity with the terms ‘Unicode’ and ‘UTF-8’, but what is really behind them? At their core they refer to character encoding schemes, …read more Continue reading Unicode: On Building The One Character Set To Rule Them All
Recently, there has been an absolute massive flood of scammers on YouTube videos related to Bitcoin. Their "trick" is to use the exact same username and profile picture as the person who uploaded the video, for example "MMCr… Continue reading How is it possible for scammers on YouTube to use the same exact username as the author of the video?
On a particular page in this application, we have a form which allows for a very select few to input data into it, because at the end of the day (and, well, event loop) we end up wrappping that input in to an eval which we highly sanitize … Continue reading Zero width character causing Javascript runtime error
I am doing some xss challenges and I have a challence that has angle brackets, single, double quotes, backslash and backticks Unicode-escaped when I enter them in the search box.
How can I bypass this filter ? I searched google but found n… Continue reading How to do and XSS on angle brackets, single, double quotes, backslash and backticks Unicode-escaped
I am building a web application in which a third party library is used, which transforms the user input into JSON and sends it to an controller action. In this action, we serialize the input using the standard Microsoft serialize from the … Continue reading Is unicode character encoding a safe alternative for html encoding when rendering unsafe user input to html?