IDN Homograph Attack

What is an IDN Homograph Attack?

IDN stands for Internationalized Domain Name. These are domain names that include characters from various languages and scripts, not just the ASCII characters (a-z, 0-9) traditionally used in domain names.

A homograph refers to characters that look alike but are different. Technically, the term homoglyph is more accurate because it denotes characters that look similar across different scripts.

How Does an IDN Homograph Attack Work?

An IDN homograph attack exploits the visual similarity between characters from different scripts to deceive users about the true nature of a domain name.

Example of Homographs

• Latin "a" (U+0061)

• Cyrillic "а" (U+0430)

These two characters look almost identical but are different from a computer’s perspective.

Script Spoofing

Also known as script spoofing, this attack involves using characters from different scripts to create deceptive domain names. Unicode, the character encoding standard, includes characters from many writing systems. Some characters look similar but have different codes and meanings. For example:

• Greek Ο (U+039F)

• Latin O (U+004F)

• Cyrillic О (U+041E)

IDN	Unicode	Legitimate match
xn--alixpress-d4a.com	aliéxpress.com	aliexpress.com
xn--go0gl-3we.fm	go0glе.fm	google.com
xn--mazon-wqa.com	ámazon.com	amazon.com

Checklist

• OAuth redirect_uri bypass using IDN homograph attack

Semrush disclosed on HackerOne: OAuth `redirect_uri` bypass using...HackerOne

• Bypass Redirection Filters

HackerOne disclosed on HackerOne: Homograph fix BypassHackerOne

• Steal Victim's Reset Password Tokens

1. Open the burp collaborator client > Generate Collaborator payload .
2. Go to the sign up page of target.com and create a new account with email- abc@gmail.com.burpcollaboratorpayloadhere
3. Now if the target.com has email confirmation > you will receive the email confirmation link in burp collaborator client > verify the email.
4. Go to password reset page of target.com > enter email as abc@gmáil.com.burpcollaboratorpayloadhere
5. If the target.com is vulnerable then it will send password reset link to the mail- abc@xn — gmil-6na.com.burpcollaboratorpayloadhere and you will receive password reset link in burp collaborator client. Make sure to check in burp collaborator client -received email details: To- abc@xn — gmil-6na.com.burpcollaboratorpayloadhere.
6. Now you can change the password and access the victim’s account.

How I was able to change victim’s password using IDN Homograph AttackInfoSec Write-ups

• Password Reset Link Poisoning (Host Injection)

IDN Homograph Attack - Reborn of the Rare CaseMedium

• File Names Attacks

• Usernames Attavk

• Account Overwrite in email change function

Change Email to vctim's email but with idn homograph attack 
Victim's Email: victim@gmail.com
Attacker's Email: victim@gmáil.com

• 2FA Bypass

2FA Bypass - IDN MischiefMedium

Tools

GitHub - evilsocket/ditto: A tool for IDN homograph attacks and detection.GitHub

https://0xacb.com/normalization_table

GitHub - JesseClarkND/abnormalizer: unicode abnormalizer to takes a unicode string and abnormalizes it by character replacmentGitHub

Homoglyph Attack Generator and Punycode Converter

Another Resources

IDN Homograph Attack and Response Manipulation - The Rarest CaseMedium

Homograph attack: What is it and how to avoid itPaubox

IDN Homograph | NotionMohamed Walid's Notion on Notion