Skip to main content


Showing posts from 2017

URLs Anchor Text Spoofing

Hello friends, In this post I would talk about how to spoof URLs visually using Unicode character Right to Left Override  ( U+202E) . So let's start with "What is  U+202E" ? In very simple words it's a Unicode Character that VISUALLY changes all  subsequent  characters from right position to the left position. Example : In unicode aware environment "\u202Eabcdef"  would be displayed as "fedcba" but the actual string would still be " \u202Eabcdef " . Demo in Browser Console : This trick is very old and it was being used to spoof the extension of files. However now the same method can be applied to spoof the anchor text of the URLs as well. In many websites like Facebook, Gmail, Instagram, WhatsApp, etc this character ( U+202E ) is removed from the anchor link but kept in anchor text hence we can easily spoof the anchor text there. Let's spoof the anchor text of URL "" to "faceb

Xssing Web Part - 2

Xssing Web With Unicodes Hello friends,  This is the second part of "Xssing Web". In this post I would show how to abuse unicodes to bypass XSS filters.  BTW if you want to check previous part click here . Note : If you think there are any mistakes in this post then kindly mention it in comments. I have developed several XSS challenges to show how unicodes can be used to bypass filters. If you want to try those challenges first then click here , get back here if you couldn't solve any. Abusing Unicode : So what is Unicode? -> Unicode is nothing but the encoding standard. It  defines  UTF-8 ,  UTF-16 , UTF-32 , etc encodings. 1) UTF-8 : Characters Size : 1 byte to 4 byte Example : Character "A" => 0x41 Character "¡"  => 0xC2 0xA1 Character "ಓ" => 0xE0 0xB2 0x93 Character "𪨶" => 0xF0 0xAA 0xA8 0xB6 2) UTF-16 : Character Size : 2 byte However in UTF-16 there are two