IDN Homograph Attack

What is an IDN Homograph Attack?

IDN stands for Internationalized Domain Name. These are domain names that include characters from various languages and scripts, not just the ASCII characters (a-z, 0-9) traditionally used in domain names.

A homograph refers to characters that look alike but are different. Technically, the term homoglyph is more accurate because it denotes characters that look similar across different scripts.

How Does an IDN Homograph Attack Work?

An IDN homograph attack exploits the visual similarity between characters from different scripts to deceive users about the true nature of a domain name.

Example of Homographs

Latin "a" (U+0061)
Cyrillic "а" (U+0430)

These two characters look almost identical but are different from a computer’s perspective.

Script Spoofing

Also known as script spoofing, this attack involves using characters from different scripts to create deceptive domain names. Unicode, the character encoding standard, includes characters from many writing systems. Some characters look similar but have different codes and meanings. For example:

Greek Ο (U+039F)
Latin O (U+004F)
Cyrillic О (U+041E)

IDN

Unicode

Legitimate match

xn--alixpress-d4a.com

aliéxpress.com

aliexpress.com

xn--go0gl-3we.fm

go0glе.fm

google.com

xn--mazon-wqa.com

ámazon.com

amazon.com

Checklist

OAuth redirect_uri bypass using IDN homograph attack

Semrush disclosed on HackerOne: OAuth `redirect_uri` bypass using...HackerOne

Bypass Redirection Filters

HackerOne disclosed on HackerOne: Homograph fix BypassHackerOne

Steal Victim's Reset Password Tokens

1. Open the burp collaborator client > Generate Collaborator payload .
2. Go to the sign up page of target.com and create a new account with email- abc@gmail.com.burpcollaboratorpayloadhere
3. Now if the target.com has email confirmation > you will receive the email confirmation link in burp collaborator client > verify the email.
4. Go to password reset page of target.com > enter email as abc@gmáil.com.burpcollaboratorpayloadhere
5. If the target.com is vulnerable then it will send password reset link to the mail- abc@xn — gmil-6na.com.burpcollaboratorpayloadhere and you will receive password reset link in burp collaborator client. Make sure to check in burp collaborator client -received email details: To- abc@xn — gmil-6na.com.burpcollaboratorpayloadhere.
6. Now you can change the password and access the victim’s account.

How I was able to change victim’s password using IDN Homograph AttackInfoSec Write-ups

Password Reset Link Poisoning (Host Injection)

IDN Homograph Attack - Reborn of the Rare CaseMedium

File Names Attacks
Usernames Attavk
Account Overwrite in email change function

Change Email to vctim's email but with idn homograph attack 
Victim's Email: victim@gmail.com
Attacker's Email: victim@gmáil.com

2FA Bypass

2FA Bypass - IDN MischiefMedium

Tools

GitHub - evilsocket/ditto: A tool for IDN homograph attacks and detection.GitHub

https://0xacb.com/normalization_table

GitHub - JesseClarkND/abnormalizer: unicode abnormalizer to takes a unicode string and abnormalizes it by character replacmentGitHub

Homoglyph Attack Generator and Punycode Converter

Another Resources

IDN Homograph Attack and Response Manipulation - The Rarest CaseMedium

Homograph attack: What is it and how to avoid itPaubox

IDN Homograph | NotionMohamed Walid's Notion on Notion

PreviousHacking Web Sockets NextDNS Rebinding Attack

Last updated 2 months ago