Bypassing WAFs with Unicode Compatibility#

Web Application Firewalls (WAFs) often rely on blacklists. They block <script>, javascript:, and alert(. But what if we can write these words without using standard ASCII characters?

The Magic of Unicode Normalization#

Many systems normalize input before processing it. This means they convert "fancy" characters into their standard ASCII equivalents.

＜ (Fullwidth Less-Than) becomes <
ｓｃｒｉｐｔ (Fullwidth Latin) becomes script
℡ (Telephone Sign) might become TEL

The Attack#

If the WAF checks the input before normalization, but the backend application processes it after normalization, we have a bypass.

Example: XSS#

WAF Rule: Block <script>

Payload: ＜ｓｃｒｉｐｔ＞alert(1)＜/ｓｃｒｉｐｔ＞

Flow:

WAF: Sees ＜ｓｃｒｉｐｔ＞. This does not match <script>. PASS.
Backend: Normalizes input. ＜ｓｃｒｉｐｔ＞ becomes <script>.
Execution: The browser executes the script.

Finding Compatible Characters#

You can use the IDNA (Internationalizing Domain Names in Applications) standard to find these mappings.

I can be represented by Ⅰ (Roman Numeral One)
K can be represented by K (Kelvin Sign)

Conclusion#

Unicode is vast and complex. Whenever you face a WAF, check if the application performs normalization. It might be your golden ticket.

Bypassing WAFs with Unicode Compatibility

Bypassing WAFs with Unicode Compatibility#

The Magic of Unicode Normalization#

The Attack#

Example: XSS#

Finding Compatible Characters#

Conclusion#

What do you think?

Related Posts

WordPress Exploitation 2025: Uncovering Critical Vulnerabilities in the World's Most Popular CMS

Mastering Cross-Site Scripting (XSS): A Comprehensive Guide for 2025

The Ultimate Guide to SQL Injection (SQLi) in 2025: Detection, Exploitation, and Prevention

Comments