Improper Handling of Unicode Encoding (CWE-176)

Improper Handling of Unicode Encoding

The product does not properly handle when an input contains Unicode encoding.

Unicode characters can have multiple encodings or representations. If an application does not properly handle Unicode, attackers may be able to bypass security filters or cause unexpected behavior using alternate encodings.

Prevalence

Medium

3 languages covered

Impact

Medium

Review recommended

Prevention

Documented

3 fix examples

2 Prevention

How to fix this vulnerability

Prevention strategies for Improper Handling of Unicode based on 3 Shoulder detection rules.

🐹 Go View all Go details →

Unicode Normalization Security Issues MEDIUM

Normalize strings with NFKC before security-sensitive comparisons

+6 -3 go

- func handler(w http.ResponseWriter, r *http.Request) {
-     username := r.FormValue("username")
-     if username == "admin" {
+ import "golang.org/x/text/unicode/norm"
+ 
+ func handler(w http.ResponseWriter, r *http.Request) {
+     username := r.FormValue("username")
+     normalized := norm.NFKC.String(strings.ToLower(username))
+     if normalized == "admin" {
          grantAdminAccess()
      }
  }

🟨 JavaScript View all JavaScript details →

Unicode Normalization Security Issues MEDIUM

Normalize Unicode strings with NFKC before security-sensitive comparisons

+2 -1 javascript

  app.post('/login', (req, res) => {
-   if (req.body.username === 'admin') {
+   const username = req.body.username.normalize('NFKC').toLowerCase();
+   if (username === 'admin') {
      return res.send('Admin access');
    }
  });

🐍 Python View all Python details →

Unicode Normalization Issues MEDIUM

Normalize Unicode strings with NFKC before comparison or security-critical operations

+6 -2 python

- def check_username(input_name, stored_name):
-     if input_name == stored_name:
+ import unicodedata
+ 
+ def check_username(input_name, stored_name):
+     normalized_input = unicodedata.normalize('NFKC', input_name).lower()
+     normalized_stored = unicodedata.normalize('NFKC', stored_name).lower()
+     if normalized_input == normalized_stored:
          grant_access()

3 Detection

Find vulnerabilities in your code

Use Shoulder to scan your codebase for Improper Handling of Unicode Encoding patterns. 3 rules.

terminal

# Scan with Shoulder CLI
npx @shoulderdev/cli trust --cwe=176

# Or scan entire project
npx @shoulderdev/cli trust .

Detection Rules (3)

🐹 Go 1 rules

Unicode Normalization Security Issues MEDIUM

Security-sensitive string comparison without Unicode normalization.

🟨 Javascript 1 rules

Unicode Normalization Security Issues MEDIUM

Detects missing Unicode normalization in security-sensitive string comparisons. Unicode allows multiple representations of visually identical characters, which attackers can exploit to bypass input validation, authentication, or access control. Common attack vectors: - Homograph attacks (using lookalike characters): "аdmin" vs "admin" (Cyrillic 'а') - Case folding differences: "ß" (German sharp s) becomes "SS" when uppercased - Combining characters: "é" can be a single char or 'e' + combining accent - Full-width characters: "ａｄｍｉｎ" vs "admin" Always normalize Unicode strings using String.prototype.normalize() before security-sensitive comparisons.

🔷 Typescript 1 rules

Unicode Normalization Security Issues MEDIUM

🐍 Python 1 rules

Unicode Normalization Issues MEDIUM

Detects missing Unicode normalization leading to security bypasses.

4 Warning Signs

What to watch for in code reviews

These patterns indicate potential Improper Handling of Unicode Encoding vulnerabilities. Look for these during code reviews and security audits.

🟡

missing Unicode normalization in security-sensitive string comparisons javascript-unicode-normalization

🔍

Scan your codebase for Improper Handling of Unicode Encoding

Shoulder CLI finds vulnerable patterns across your entire codebase.

npx shoulder trust Browse all rules