Burp Suite User Forum

Login to post

Unicode Normalization Bug

Rohit | Last updated: Sep 13, 2020 12:46PM UTC

During one of the pentests I was attempting to test for the Hostsplit unicode normalization vulnerability by tampering with the host header. More details about this vulnerability can be found here https://i.blackhat.com/USA-19/Thursday/us-19-Birch-HostSplit-Exploitable-Antipatterns-In-Unicode-Normalization-wp.pdf The test can be performed by adding a Host header as Host: www.evil.c℀.victim.com However, When I try to do this , burpsuite modifies this request and makes the Host header as Host: www.evil.c.victim.com which in my opinion should not be happening. As I need to check how the server is processing it. For a successful attack (i.e. the server is vulnerable) the server should be processing it as , which makes it a very critical vulnerability Host: www.evil.ca/c.victim.com This seems to be a bug in Burpsuite as it should not be normalising the request and rather send it as is.

ayub | Last updated: Sep 13, 2020 01:19PM UTC

Yes,Burp converting ℀ to null char. And also i have observed that, if you copy paste russian alphabet like ё into burp and perform any action, it will convert it into some other character ex: ё --> Q i think burp does not support other than English alphabets.

Michelle, PortSwigger Agent | Last updated: Sep 14, 2020 02:04PM UTC

Hi What options do you both have set under User Options -> Display? Which version of Burp are you using? Would you be happy to send us a screen recording showing the steps you take and the results you get and send them over to support@portswigger.net so we can take a closer look?

You need to Log in to post a reply. Or register here, for free.