A visual spoofing (homograph) attack occurs when characters that appear visually identical or nearly indistinguishable are substituted to deceive users or systems. These characters originate from different Unicode code points but render similarly in most fonts. Adversaries exploit these similarities to craft deceptive domain names, file names, or identifiers that trick users into trusting malicious resources (e.g., `аррӏе.com` vs. `apple.com`).
Remediation
Normalise and validate input to restrict or reject mixed-script identifiers (e.g., disallow Cyrillic + Latin characters in the same domain or username).
Use Punycode (`xn--`) representation for internationalised domain names (IDN) to expose deceptive Unicode characters to users and detection systems.
Apply allow-lists for acceptable character sets in usernames, domains, or identifiers.
Educate users and administrators to recognise Punycode-prefixed domains in logs, emails, and browsers.
Leverage browser or application security features that flag mixed-script or confusable characters.
Metadata
Severity: low
Slug: visual-spoofing
CWEs
290: Authentication Bypass by Spoofing
1007: Insufficient Visual Distinction of Homoglyphs Presented to User
178: Improper Handling of Case Sensitivity
20: Improper Input Validation
176: Improper Handling of Unicode Encoding
OWASP
A01:2021: Broken Access Control
A07:2021: Identification and Authentication Failures
Available Labs
Select a language to explore available labs for this vulnerability.
Want to skill-up in secure coding and AppSec?
Try SecDim Wargames to learn how to find, hack
and fix security vulnerabilities inspired by real-world incidents.
Join our secure coding and AppSec community.
A discussion board to share and
discuss all aspects of secure
programming, AppSec, DevSecOps,
fuzzing, cloudsec, AIsec
code review, and more.
