Lost in Translation: Exploiting Unicode Normalization

Lost in Translation: Exploiting Unicode Normalization

MediaVideo
Yanac

As web applications evolve, so do their data processing pipelines—handling Unicode normalization, encoding, and translation before storing or executing user input. But what if these same data transformations could be weaponized by attackers? This talk exposes how Unicode normalization flaws (such as visual confusables/best-fit mappings, truncation/overflows, case-mappings and entity decodings) lead to critical security bypasses—allowing attackers to evade WAFs, input filters, and backend logic to execute Remote Code Execution (RCE), Cross-Site Scripting (XSS), Server-Side Template Injection (SSTI), Open Redirects, and HTTP Response Splitting.

Using real-world attack data from Akamai’s research team, this session will showcase live exploitation demos, explore the impact of vulnerabilities like CVE-2024-4577 (PHP-CGI Argument Injection), and introduce cutting-edge Unicode fuzzing techniques. Attendees will leave with a deep understanding of Unicode security pitfalls and hands-on tools like Shazzer, recollapse, and Burp Activescan++ enhancements to detect these issues.

By:
Ryan Barnett | Principal Security Researcher, Akamai
Isabella Barnett | Cyber Security Engineering Student,

Presentation Materials Available at:
https://blackhat.com/us-25/briefings/schedule/?#lost-in-translation-exploiting-unicode-normalization-44923Black HatRead More