UTF-8 Bypass

Did you know that you used to be able to encode the "/" (solidus, also known as slash) character in UTF-8 in 3 different ways?

These were 0x2F, or 0xC0 0xAF, or 0xE0 0x80 0xAF.

This led to security issues and let attackers bypass validation logic.

The Unicode specification later was revised to say that a UTF-8 encoder must produce the shortest possible sequence that can represent a codepoint, and a decoder must reject any byte sequence that’s longer than it needs to be to fix this issue.

More reading:

Corrected UTF-8: https://www.owlfolio.org/development/corrected-utf-8/
CAPEC-80: Using UTF-8 Encoding to Bypass Validation Logic: https://capec.mitre.org/data/definitions/80.html

RAMBLINGS OF A MADMAN

Darwin

Darwin
- Disable MacOS doodoo garbage shinies with Nix Darwin
  
  Disable MacOS doodoo garbage shinies with Nix Darwin
Go

Go
- Go's iterators suit the moronic language
  
  Go's iterators suit the moronic language
Posix

Posix
- fsync(2) Pitfalls
  
  fsync(2) Pitfalls
- Sysadmin Copypasta
  
  Sysadmin Copypasta
Site

Site
- Analytics
  
  Analytics
- Availability
  
  Availability
Unicode

Unicode
- UTF-8 Bypass
  
  UTF-8 Bypass
Web

Web
- Bypass HSTS (HTTP Strict Transport Security)
  
  Bypass HSTS (HTTP Strict Transport Security)