Improper Handling of Unicode Encoding (CWE-176)

Improper Handling of Unicode Encoding

The product does not properly handle when an input contains Unicode encoding.

Unicode characters can have multiple encodings or representations. If an application does not properly handle Unicode, attackers may be able to bypass security filters or cause unexpected behavior using alternate encodings.

보급률

보통

3개 언어 지원

영향

보통

검토 권장

예방

문서화됨

3개의 수정 예시

2 예방

이 취약점을 수정하는 방법

3개의 Shoulder 탐지 규칙을 기반으로 한 Improper Handling of Unicode 예방 전략.

🐹 Go 모두 보기 Go 자세히 →

Unicode Normalization Security Issues MEDIUM

Normalize strings with NFKC before security-sensitive comparisons

+6 -3 go

- func handler(w http.ResponseWriter, r *http.Request) {
-     username := r.FormValue("username")
-     if username == "admin" {
+ import "golang.org/x/text/unicode/norm"
+ 
+ func handler(w http.ResponseWriter, r *http.Request) {
+     username := r.FormValue("username")
+     normalized := norm.NFKC.String(strings.ToLower(username))
+     if normalized == "admin" {
          grantAdminAccess()
      }
  }

🟨 JavaScript 모두 보기 JavaScript 자세히 →

Unicode Normalization Security Issues MEDIUM

Normalize Unicode strings with NFKC before security-sensitive comparisons

+2 -1 javascript

  app.post('/login', (req, res) => {
-   if (req.body.username === 'admin') {
+   const username = req.body.username.normalize('NFKC').toLowerCase();
+   if (username === 'admin') {
      return res.send('Admin access');
    }
  });

🐍 Python 모두 보기 Python 자세히 →

Unicode Normalization Issues MEDIUM

Normalize Unicode strings with NFKC before comparison or security-critical operations

+6 -2 python

- def check_username(input_name, stored_name):
-     if input_name == stored_name:
+ import unicodedata
+ 
+ def check_username(input_name, stored_name):
+     normalized_input = unicodedata.normalize('NFKC', input_name).lower()
+     normalized_stored = unicodedata.normalize('NFKC', stored_name).lower()
+     if normalized_input == normalized_stored:
          grant_access()

3 탐지

코드에서 취약점 찾기

Shoulder를 사용하여 코드에서 Improper Handling of Unicode Encoding 패턴을 스캔하세요. 3 규칙.

터미널

# Scan with Shoulder CLI
npx @shoulderdev/cli trust --cwe=176

# Or scan entire project
npx @shoulderdev/cli trust .

탐지 규칙 (3)

🐹 Go 1 rules

Unicode Normalization Security Issues MEDIUM

Security-sensitive string comparison without Unicode normalization.

🟨 Javascript 1 rules

Unicode Normalization Security Issues MEDIUM

Detects missing Unicode normalization in security-sensitive string comparisons. Unicode allows multiple representations of visually identical characters, which attackers can exploit to bypass input validation, authentication, or access control. Common attack vectors: - Homograph attacks (using lookalike characters): "аdmin" vs "admin" (Cyrillic 'а') - Case folding differences: "ß" (German sharp s) becomes "SS" when uppercased - Combining characters: "é" can be a single char or 'e' + combining a

🔷 Typescript 1 rules

Unicode Normalization Security Issues MEDIUM

🐍 Python 1 rules

Unicode Normalization Issues MEDIUM

Detects missing Unicode normalization leading to security bypasses.

4 경고 신호

코드 리뷰에서 주의할 점

이 패턴은 잠재적인 Improper Handling of Unicode Encoding 취약점을 나타냅니다. 코드 리뷰와 보안 감사 중에 찾아보세요.

🟡

missing Unicode normalization in security-sensitive string comparisons javascript-unicode-normalization

🔍

코드베이스를 스캔하세요: Improper Handling of Unicode Encoding

Shoulder CLI는 전체 코드베이스에서 취약한 패턴을 찾아냅니다.

npx shoulder trust 모든 규칙 보기