Bypassing character blocklists with unicode overflows
Summary
This article from PortSwigger Research discusses Unicode codepoint truncation, also known as Unicode overflow attacks. This vulnerability occurs when a server attempts to store a Unicode character in a single byte, exceeding the byte's maximum value of 255.
IFF Assessment
FOE
Unicode overflow attacks can be used to bypass character blocklists, which is a technique used in web application security to prevent malicious input.
Defender Context
Defenders should be aware of Unicode overflow attacks as a method for bypassing input validation and blocklists. Implementing robust input sanitization and validation that correctly handles Unicode characters is crucial to prevent these types of bypasses.