RTLO Injection leads to URi Spoofing

Disclosed by

nt3c

Engagement Asana
Disclosed date 1 Jun 2022 almost 3 years ago
Priority P5 Bugcrowd's VRT priority rating
Status Informational This vulnerability is seen as an accepted business risk

Summary by nt3c

t was possible to perform RTLO Injection (Right To Left Override Injection). This technique takes advantage of \u202E, a non-printing Unicode character that causes the text that follows it to be displayed in reverse it is commonly used to disguise a string and/or file name and/or url to make it appear benign and to bypass security defences.

Activity

y3t1 Customer published the disclosure report
3 years ago(01 Jun 2022 22:34:27 UTC)
nt3c requested disclosure
3 years ago(30 May 2022 09:51:18 UTC)
soheesec_bugcrowd changed the state to Informational
3 years ago(30 May 2022 03:55:55 UTC)
soheesec_bugcrowd sent a message
3 years ago(30 May 2022 03:55:53 UTC)
nt3c sent a message
3 years ago(28 May 2022 11:39:55 UTC)Edited 3 years ago
nt3c created the submission
3 years ago(28 May 2022 11:17:50 UTC)