Skip to content

IDN and IRI Spoofing tests

Some things I found interesting about these tests.

In Firefox, a ::= has the same affect as a : in the normal sense of domain:port. It can just as well be domain::=port.
www.nottrusted.com⩴80 // using u2A74 which decomposes to ::=

Continuing on it looks like both Firefox and Opera seem to allow URL’s that look like the following:
http://www.nottrusted.com::::====80::::==443:::===80:::::===

I just messed around for a minute and it looks like they don’t care if you have a long string of this stuff. Opera seems to ignore the port number, but Firefox seems to connect to it. Anybody know if this is a standards-based behavior or what’s happening?

In Safari and Opera, the Latin letter kra has some strange effect on the Punycode encoding. Needs more investigation of the Latin Extended-A type script blocks: www․looĸout.com // using Latin letter kra 'ĸ' for 'k'

In IE, Safari, Firefox, Opera, and Google Chrome, some of the prohibited characters are allowed, most notably the Unicode BOM U+FEFF and the Word Joiner U+2060. The immediate malicious use for this I see would be bypassing any sort of domain-name filters or blacklists. Not to mention pulling off some nasty ‘invisible’ homograph attacks.

Whole-script spoofing

www.аЬс.com using Cyrillic script for domain label
www.ігѕ.com using Greek script for domain label
ᎳᎳᎳ.nottrusted.com using Cherokee script for subdomain label
ᗯᗯᗯ.nottrusted.com using Canadian script for subdomain label
www.nottrusted.ᎷᎬ using Cherokee script for TLD
www.nottrusted.сом using Cyrillic script for TLD

Mixed-script spoofing

www.oracᇉ.com // Mixed ASCII and Hangul script U+11CN looks like ‘LE’
www.I♥NY.com using ♥ for domain which is designated Common script
www.Αᑭᑭle.com using Canadian script for letter ‘p’
www.Α⍴⍴le.com using common script APL functional symbol for letter ‘p’
www.faϲebook.com using Greek script for letter ‘c’
www.faϲebook.com using Greek script for letter ‘c’
Ꮃww.nottrusted.com using Cherokee script for subdomain label
ᗯww.nottrusted.com using Canadian script for subdomain label
www.nottrusted.сom using Cyrillic script for TLD

Single-script spoofing

sweet⒗com // using ⒗ Common script for domain and full stop
www․nottrusted.nͤͭ // using Inherited combining diacritical marks for TLD
www․nottrusted.com // using Latin capital O for o :)
www․looĸout.com // using Latin letter kra ‘ĸ’ for ‘k’
www․looĸout.com // using Latin letter turned ‘m’ for ‘w’ in subdomain and kra ‘ĸ’ for ‘k’ in domain
www․lookout.com // using Latin full width look

Spoofing in trusted TLD’s

www.oracᇉ.org // Mixed ASCII and Hangul script Firefox trusted TLD
www.I♥NY.de using ♥ for domain with Firefox and Opera trusted TLD
www.Αᑭᑭle.de using Canadian script with Firefox and Opera trusted TLD

Normalization tests

www.nottrusted.com:80 // using uFF1A
http://www.nottrusted.com // using uFF1A
http﹕//www.nottrusted.com // using uFE55
http︓//www.nottrusted.com // using uFE13
www.lOokout.com // using uFF2F full width latin O
www․nottrusted.com // using u2024 one dot leader
www‥nottrusted.com // using u2025 two dot leader
www.nottrusted‧net // using u2027 hyphenation point
www…nottrusted.com // using u2026 horizontal ellipsis
http://www.nottrusted.com⁄.test.com // using u2044 fraction slash
www.lⓄⓄkout.сom using Latin Common script for ‘oo’ in domain label
www.nottrusted.nⓔt using Latin Common script for ‘e’ in TLD
www.nottrusted.com⩴80 // using u2A74 which decomposes to ::=
㏂nottrusted.com using Latin Common script ‘㏂’ which decomoses to a.m.
http://test.﹤.com // using ufe64 small less than sign in domain label

Prohibited code points tests

Test the prohibited characters from IETF RFC 3454 stringprep.

www .nottrusted.com // using non-ASCII space chars 00A0
www. .nottrusted.com // using non-ASCII space chars 1680 (Ogham space mark)
www.nottrusted.com // using ASCII control chars 001F
www․look۝.nottrusted.com // using non-ASCII control chars 06DD; ARABIC END OF AYAH
www․look᠎out.nottrusted.com // using non-ASCII control chars 180E; MONGOLIAN VOWEL SEPARATOR
www․look⁠out.nottrusted.com // using non-ASCII control chars 2060; WORD JOINER
www․lookout.nottrusted.com // using non-ASCII control chars FEFF; ZERO WIDTH NO-BREAK SPACE
www․look🿾out.nottrusted.com // using Non-character code points 1FFFE [NONCHARACTER CODE POINTS]
www․look�out.nottrusted.com // using Surrogate codes D800-DFFF; [SURROGATE CODES]
www․look�out.nottrusted.com // using Surrogate codes D800-DFFF; [SURROGATE CODES]
www․lookout.nottrusted.com // using Inappropriate for plain text FFFA; INTERLINEAR ANNOTATION SEPARATOR
www․look�out.nottrusted.com // using Inappropriate for plain text FFFD; INTERLINEAR ANNOTATION SEPARATOR
www․look⿰out.nottrusted.com // using Inappropriate for canonical representation 2FF0-2FFB; [IDEOGRAPHIC DESCRIPTION CHARACTERS]
www.looḱout.nottrusted.com // using Change display properties or are deprecated 0341; COMBINING ACUTE TONE MARK
‭www.look‮out.nottrusted.com‭ // using Change display properties or are deprecated 202E; RIGHT-TO-LEFT OVERRIDE
www․lookout.nottrusted.com // using Change display properties or are deprecated 206B; ACTIVATE SYMMETRIC SWAPPING
www.look󠀁out.nottrusted.com // using Tagging characters E0001; LANGUAGE TAG
www.look󠀠out.nottrusted.com // using Tagging characters E0020-E007F; [TAGGING CHARACTERS]
www.look־out.nottrusted.com // using Characters with bidirectional property “R” or “AL” 05BE
www.lookˮout.nottrusted.com // using Characters with bidirectional property “L” 02EE

Prohibited code points tests in whitelisted TLD .ORG

Test the prohibited characters from IETF RFC 3454 stringprep.

www .nottrusted.org // using non-ASCII space chars 00A0
www. .nottrusted.org // using non-ASCII space chars 1680 (Ogham space mark)
www.nottrusted.org // using ASCII control chars 001F
www․look۝.nottrusted.org // using non-ASCII control chars 06DD; ARABIC END OF AYAH
www․look᠎out.org // using non-ASCII control chars 180E; MONGOLIAN VOWEL SEPARATOR
www․look⁠out.nottrusted.org // using non-ASCII control chars 2060; WORD JOINER
www․lookout.nottrusted.org // using non-ASCII control chars FEFF; ZERO WIDTH NO-BREAK SPACE
www․look🿾out.nottrusted.org // using Non-character code points 1FFFE [NONCHARACTER CODE POINTS]
www․look�out.nottrusted.org // using Surrogate codes D800-DFFF; [SURROGATE CODES]
www․look�out.nottrusted.org // using Surrogate codes D800-DFFF; [SURROGATE CODES]
www․lookout.nottrusted.org // using Inappropriate for plain text FFFA; INTERLINEAR ANNOTATION SEPARATOR
www․look�out.nottrusted.org // using Inappropriate for plain text FFFD; INTERLINEAR ANNOTATION SEPARATOR
www․look⿰out.nottrusted.org // using Inappropriate for canonical representation 2FF0-2FFB; [IDEOGRAPHIC DESCRIPTION CHARACTERS]
www.looḱout.nottrusted.org // using Change display properties or are deprecated 0341; COMBINING ACUTE TONE MARK
‭www.look‮out.nottrusted.org‭ // using Change display properties or are deprecated 202E; RIGHT-TO-LEFT OVERRIDE
www․lookout.nottrusted.org // using Change display properties or are deprecated 206B; ACTIVATE SYMMETRIC SWAPPING
www.look󠀁out.nottrusted.org // using Tagging characters E0001; LANGUAGE TAG
www.look󠀠out.nottrusted.org // using Tagging characters E0020-E007F; [TAGGING CHARACTERS]
www.look־out.nottrusted.org // using Characters with bidirectional property “R” or “AL” 05BE
www.lookˮout.nottrusted.org // using Characters with bidirectional property “L” 02EE