Unicode and NFKC

This exercise covers how can leverage unicode to get exploit a directory traversal

< 1 Hr.
Brown Badge


In this exercise, you will delve into Unicode transformations and how they can lead to unexpected behaviors in web applications. The core issue lies in string manipulation, which can create collisions and unforeseen outcomes. Specifically, the application attempts to prevent the use of ".." in file paths but normalizes the path before using it. This normalization process allows certain Unicode characters to be transformed into dots, thus bypassing the application's security checks.

The exploitation process involves identifying the right Unicode characters that, when decomposed and recomposed, turn into ".." and allow access to restricted files like /app/key.txt. This exercise highlights the importance of understanding Unicode Equivalence and Compatibility Characters in web security. By the end of the exercise, you will appreciate how minor changes in input validation can lead to significant security vulnerabilities.

Want to learn more? Get started with PentesterLab Pro! GO PRO