# Improper Handling of Unicode Encoding (CWE-176)

The product does not properly handle when an input contains Unicode encoding.

**Stack:** JavaScript

- Prevalence: मध्यम 3 भाषाएँ कवर की गईं
- Impact: मध्यम समीक्षा अनुशंसित
- Prevention: प्रलेखित 3 फिक्स उदाहरण

**OWASP:** Injection (A03:2021-Injection) - #3

## Description

Unicode characters can have multiple encodings or representations. If an application does not properly handle Unicode, attackers may be able to bypass security filters or cause unexpected behavior using alternate encodings.

## Prevention

1 Shoulder डिटेक्शन नियमों पर आधारित Improper Handling of Unicode के लिए रोकथाम रणनीतियाँ।

### JavaScript

Normalize Unicode strings with NFKC before security-sensitive comparisons

## Warning Signs

- [MEDIUM] missing Unicode normalization in security-sensitive string comparisons

## Consequences

- सुरक्षा तंत्र को बायपास करना
- अनधिकृत कोड निष्पादित करना

## Mitigations

- प्रसंस्करण से पहले Unicode इनपुट को कैनोनिकल रूप में सामान्यीकृत करें
- Unicode सामान्यीकरण के बाद सुरक्षा जाँच लागू करें
- Unicode-जागरूक तुलना फ़ंक्शनों का उपयोग करें

## Detection

- Total rules: 3
- Languages: go, javascript, typescript, python

## Rules by Language

### Javascript (1 rules)

- **Unicode Normalization Security Issues** [MEDIUM]: Detects missing Unicode normalization in security-sensitive string comparisons.
Unicode allows multiple representations of visually identical characters, which
attackers can exploit to bypass input validation, authentication, or access control.

Common attack vectors:
- Homograph attacks (using lookalike characters): "аdmin" vs "admin" (Cyrillic 'а')
- Case folding differences: "ß" (German sharp s) becomes "SS" when uppercased
- Combining characters: "é" can be a single char or 'e' + combining a
  - Remediation: Normalize Unicode strings with NFKC before security-sensitive comparisons:

```javascript
app.post('/login', (req, res) => {
  const username = req.body.username.normalize('NFKC').toLowerCase();
  if (username === 'admin') {
    return res.send('Admin access');
  }
  res.send('User access');
});
```

Learn more: https://shoulder.dev/learn/javascript/cwe-176/unicode-normalization

### Typescript (1 rules)

- **Unicode Normalization Security Issues** [MEDIUM]: Detects missing Unicode normalization in security-sensitive string comparisons.
Unicode allows multiple representations of visually identical characters, which
attackers can exploit to bypass input validation, authentication, or access control.

Common attack vectors:
- Homograph attacks (using lookalike characters): "аdmin" vs "admin" (Cyrillic 'а')
- Case folding differences: "ß" (German sharp s) becomes "SS" when uppercased
- Combining characters: "é" can be a single char or 'e' + combining a
  - Remediation: Normalize Unicode strings with NFKC before security-sensitive comparisons:

```javascript
app.post('/login', (req, res) => {
  const username = req.body.username.normalize('NFKC').toLowerCase();
  if (username === 'admin') {
    return res.send('Admin access');
  }
  res.send('User access');
});
```

Learn more: https://shoulder.dev/learn/javascript/cwe-176/unicode-normalization