Unicode and Downcase

Bookmarked!

This exercise covers how you can use unicode to gain access to an admin account.

PRO
Tier
Medium
< 1 Hr.
554
Brown Badge

This exercise explores a vulnerability discovered in GitHub's password reset functionality, where manipulating the case of a string can create collisions and unexpected behaviors. The issue arises because certain Unicode characters, such as the Kelvin sign (U+212A), are mapped back to a standard character (k) when converted to lowercase. This allows attackers to bypass anti-collision and filtering mechanisms if these checks occur before the conversion.

To exploit this vulnerability, one needs to find the correct encoding for the Kelvin sign when logging in. By leveraging this character, you can create a username that, when downcased, matches a protected username like "kadmin," allowing you unauthorized access. This exercise underscores the importance of understanding how even minor, less-known bugs can impact application security, providing valuable insights for penetration testers.

Want to learn more? Get started with PentesterLab Pro! GOPRO