Collisions

Unicode Case Mapping Collisions

A collision occurs when two different Unicode characters are uppercased or lowercased into the same character.

'ß'.toUpperCase() === 'ss'.toUpperCase() // true
'ß'.toUpperCase() === 'SS' // true

Note: 'ß'.toLowerCase() does not equal ss.

Click here for a complete list of Unicode collisions.

You may sometimes be able to abuse this with "Forgot password" emails, for example. If it asks you for an email address, then instead of "sass@sass.com" you can put in "saß@sass.com" or "sass@saß.com". If the application converts it to lowercase and compares your input to "sass@sass.com", then the password reset link will be sent to your malicious email instead of "sass@sass.com".

Here's a vulnerable Node.js application's code, for example:

malicious_email = 'saß@sass.com';

// Converted to 'SASS@SASS.COM'
uppercased_email = malicious_email.toUpperCase();

// Will match a an existing user that's not controlled by the attacker ('SASS@SASS.COM')
user_id = get_user_from_database(uppercased_email);

if (user_id) {
  // Sends an email to 'saß@sass.com' for a password reset for the 'sass@sass.com' user.
  send_recovery_email(user_id, malicious_email);
}