A security vulnerability report arrived that went roughly like this:<\/p>\n
\nInternet Explorer has a security vulnerability that allows an attacker to bypass domain filtering. Suppose my web site filters domain names, say with the following test:<\/p>\n
if ($frame_domain == \"microsoft.com\") {\r\n block();\r\n}\r\n<\/pre>\nAn attacker can construct a frame which targets an intentional misspelling:<\/p>\n
<iframe src=\"https:\/\/\u24dcicrosoft.com\" ...>\r\n<\/pre>\nEven though the “\u24dc” is the Unicode character CIRCLED LATIN SMALL LETTER M (U+24DC), the web page that is shown in the frame is indeed
microsoft.com<\/code>. The web browser rewrote the domain, allowing an attacker to bypass filtering.<\/p>\n<\/blockquote>\nYes, this is all true. The web browser rewrote the domain, allowing an attacker to bypass filtering. But the bug is not in the web browser. The web browser is doing exactly what the standard says it’s supposed to do: Unicode Technical Standard #46<\/a> describes how so-called international domain names<\/i> are converted to ASCII for domain lookup purposes. One of the steps is to map the code points according to the IDNA Mapping Table<\/a>, and the IDNA Mapping Table says that character CIRCLED LATIN SMALL LETTER M (U+24DC) is mapped to LATIN SMALL LETTER M (U+006D).<\/p>\n
The bug is in the code which tries to block access to
microsoft.com<\/code>. It’s performing a literal string comparison againstmicrosoft.com<\/code> without going through the IDN conversion process. Indeed, you didn’t even need to use IDN to attack the filter.<\/p>\n<iframe src=\"https:\/\/microsoft.com.\" ...>\r\n<\/pre>\n