Collisions
Unicode Case Mapping Collisions
A collision occurs when two different Unicode characters are uppercased or lowercased into the same character.
Note: 'ß'.toLowerCase()
does not equal ss
.
Click here for a complete list of Unicode collisions.
You may sometimes be able to abuse this with "Forgot password" emails, for example. If it asks you for an email address, then instead of "sass@sass.com" you can put in "saß@sass.com" or "sass@saß.com". If the application converts it to lowercase and compares your input to "sass@sass.com", then the password reset link will be sent to your malicious email instead of "sass@sass.com".
Here's a vulnerable Node.js application's code, for example:
Last updated