Feature request: Support unicode transformations (and especially emojis if you feel funny) #23
Comments
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
{{ message }}
As discussed on https://twitter.com/floyd_ch/status/1561991748682915840
There are certain unicode characters that are sometimes turned into < or " or similar, meaning they are very nice examples of suspicious transformations that Backslash Powered Scanner checks for. Further details:
https://medium.com/@fpatrik/how-i-found-an-xss-vulnerability-via-using-emojis-7ad72de49209
https://medium.com/csg-govtech/weaponizing-unicode-for-fun-and-profit-e2ce24d594c6
Apparently there are a couple of software that behave differently when Unicode is used as well:
https://www.theguardian.com/technology/2014/jun/12/tweetdeck-vulnerability-teen-code-emoji-heart
https://hackerone.com/reports/96337
As far as I see, backslash powered scanner uses \u escapes such as:
https://github.com/PortSwigger/backslash-powered-scanner/blob/master/src/burp/DiffingScan.java#L161
But does not directly use the "unicode in UTF-8" bytes (starting with something 0x7f).
I don't have much experience with which unicode chars would be a good start, I actually think it's a blind spot during my testing. So it would be nice if backslash powered scanner provides this.
Extracted from the above links on what I think would be useful:
Maybe it would make sense to add them as unicode in UTF-8 bytes but maybe also \u escaped?
The text was updated successfully, but these errors were encountered: