Unicode characters that get normalized into path traversal characters

This vector performs normalization and compares to see if the characters get normalized into path traversal characters

Created by: hackvertor

Created on: Thursday, December 12, 2024 at 12:54:59 PM

Updated on: Saturday, December 21, 2024 at 2:00:34 PM

Vector type: JS

Vector charset: UTF-8

Code used before fuzz:

const charsToCheck = ["\\","/","."];
const normalizationForms = ["NFKC", "NFC", "NFD", "NFKD"];

Template used:

$[i] > 0x7f && normalizationForms.forEach(form => {
    const normalized = String.fromCodePoint($[i]).normalize(form);
    for(let charToCheck of charsToCheck) {
       if(charToCheck === normalized) {
            log(String.fromCodePoint($[i])+"("+form+")"+"="+charToCheck);
        }
     }
})

Your browser was detected as:

Detecting... Detecting... Detecting... Detecting...

Sample payloads

0 > 0x7f && normalizationForms.forEach(form => {
    const normalized = String.fromCodePoint(0).normalize(form);
    for(let charToCheck of charsToCheck) {
       if(charToCheck === normalized) {
            alert(String.fromCodePoint(0)+"("+form+")"+"="+charToCheck);
        }
     }
})

Fuzz results

Chrome 131.0.0.0 desktop macOS 10.15.7

Updated

Thu Dec 12 2024

Found 12 results

Show differences only?

Filter out alphanumeric

Sort ascending