Unicode Security Guide

1) Home Page

2) Background

3) Visual Spoofing

4) Character Transformation

View the Project on GitHub websec/unicode-security-guide

Unicode Security Guide

Welcome to the Unicode Security Guide! This guide has been designed to give Web application developers, software engineers, and application security researchers a reference for understanding Unicode-related security issues in operating systems, applications, and the Web.

The dynamics of Unicode, and character encodings in general, are often misunderstood or poorly implemented, and lead to an array of interesting if not catastrophic security vulnerabilities.

The content here has been sourced through testing, research, and the following two technical reports from the Unicode Consortium:

Beyond these two sources, further research has been ongoing around identifying and inventorying software behaviors. Test cases are being provided in the source code repository.

Contributions and Acknowledgements

Thank you to the following security-minded practitioners for their valuable feedback:

Bil Corry

Abraham Kang

Disclaimers

This guide has been written by application security professionals, and has not endorsed or reviewed by the Unicode Consortium. It does draw on material from the Consortium, with references, where applicable.