Visual Spoofing

A visual spoofing (homograph) attack occurs when characters that appear visually identical or nearly indistinguishable are substituted to deceive users or systems. These characters originate from different Unicode code points but render similarly in most fonts. Adversaries exploit these similarities to craft deceptive domain names, file names, or identifiers that trick users into trusting malicious resources (e.g., `аррӏе.com` vs. `apple.com`).

Remediation

Normalise and validate input to restrict or reject mixed-script identifiers (e.g., disallow Cyrillic + Latin characters in the same domain or username).
Use Punycode (`xn--`) representation for internationalised domain names (IDN) to expose deceptive Unicode characters to users and detection systems.
Apply allow-lists for acceptable character sets in usernames, domains, or identifiers.
Educate users and administrators to recognise Punycode-prefixed domains in logs, emails, and browsers.
Leverage browser or application security features that flag mixed-script or confusable characters.

Metadata

Severity: low
Slug: visual-spoofing

CWEs

290: Authentication Bypass by Spoofing
1007: Insufficient Visual Distinction of Homoglyphs Presented to User
178: Improper Handling of Case Sensitivity
20: Improper Input Validation
176: Improper Handling of Unicode Encoding

OWASP

A01:2021: Broken Access Control
A07:2021: Identification and Authentication Failures

Available Labs

Open Php labs in SecDim Play for this vulnerability.

easy

Confusable.php

PHP Easy Laravel New Signature

Play AppSec WarGames

Want to skill-up in secure coding and AppSec? Try SecDim Wargames to learn how to find, hack and fix security vulnerabilities inspired by real-world incidents.

For Companies Play Now

Got a comment?

Join our secure coding and AppSec community. A discussion board to share and discuss all aspects of secure programming, AppSec, DevSecOps, fuzzing, cloudsec, AIsec code review, and more.