Unicode characters that get normalized into path traversal characters

This vector performs normalization and compares to see if the characters get normalized into path traversal characters

Created byhackvertor

Created Dec 12, 2024

Updated May 28, 2025

Detecting browser...

CategoryJavaScript Syntax

VisibilityPublic

TypeJS

CharsetUTF-8

Code used before fuzz:

const charsToCheck = ["\\","/","."];0x0D
const normalizationForms = ["NFKC", "NFC", "NFD", "NFKD"];

Template used:

$[i] > 0x7f && normalizationForms.forEach(form => {0x0D
    const normalized = String.fromCodePoint($[i]).normalize(form);0x0D
    for(let charToCheck of charsToCheck) {0x0D
       if(charToCheck === normalized) {0x0D
            log(String.fromCodePoint($[i])+"("+form+")"+"="+charToCheck);0x0D
        }0x0D
     }0x0D
})

Sample payloads

0 > 0x7f && normalizationForms.forEach(form => {0x0D
    const normalized = String.fromCodePoint(0).normalize(form);0x0D
    for(let charToCheck of charsToCheck) {0x0D
       if(charToCheck === normalized) {0x0D
            alert(String.fromCodePoint(0)+"("+form+")"+"="+charToCheck);0x0D
        }0x0D
     }0x0D
})

Unicode characters that get normalized into path traversal characters

Sample payloads

Fuzz results

Distributed Fuzzing