Hi @all, I am on the hunt for old Internet codes. I stunbled across Punycode and realized that sth like xn--i28h is a smiling face. Is there sth similair, except Unicode (U+...) ? How can an emoji like that also be encoded in normal text format?
Hi,
I am trying to find a RegEx line to block all so called "Punycode" Domains, which are identifiable by the xn-- in the URL.
But
.*(xn--)([a-zA-Z0-9\-\._]{2,256})*(\.[a-z]{2,18})
does not work in Pihole even though RegEx101.com says it should.
First I thought the "--" in "xn--" would be wrong so I tried to escape it with
.*(xn\-\-)([a-zA-Z0-9\-\._]{2,256})*(\.[a-z]{2,18})
But the result is the same. RegEx101 says it's good, but Pihole doesn't catch it.
The error must be in the ".*(xn\-\-)" part... but I dont know where
I test it against www.kΓΆln.de
Thanks for helping, Greetings.
Hello!
I've made a Portfolio Website and chose to use a Domain with cyrillic characters. Sadly, it's being displayed as "http://xn--80afg8d.me/", which is ugly as hell.
Is there any way to make browsers display it correctly? Does the same thing happen with other IDNs like Japanese ones?
Thanks in advance!
I sure wouldn't mind blocking all Cyrillic, or other characters. Has anyone worked this out yet?
https://en.wikipedia.org/wiki/Punycode
Why haven't the FF newer versions changed the default setting for, network.IDN_show_punycode;false , to network.IDN_show_punycode;true yet? Sorry if this has been asked a million times. Just curious. Thanks
I'm looking at creating a dashboard for IDN addresses to look for homoghyph attacks. I can pretty easily pull everything by checking DNS queries for xn--*, and can export those to run through a script to convert into unicode, but I was wondering if there was a way of just converting the punycode into proper unicode in the pipeline. Does anyone know of a way of doing this?
EDIT: I've got a user splunk account in an enterprise environment. I've got splunk code as follows:
index="dns" "query"="xn--*" | stats count by query
the powershell is simple too:
$idn = New-Object System.Globalization.IdnMapping
$unicode = $idn.GetUnicode("$punycode")
the issue is how to run it (or its equivalent) within Splunk
Hello
please beware of this scam spoof website hosted on IP 217Β.8Β.117Β.54 and domain stellΔ rΒ.com
It uses punycode to resemble the domain name.
VDS: CREXFEXPEX-RUSSIA, RU. The main domain is xn--stellr-00a.com.
punycode flaw is NOT fixed in chrome
Version 63.0.3239.132 (Official Build) (64-bit)
The site I am on is a phishing attempt from a sponsored link in facebook made to look exactly like bitmain.com's actual website. chrome displays the address as https://shop.bitmain.com/antminer_s9_asic_bitcoin_miner/ If you copy the hyperlink from the address bar and paste it anywhere else, the hyperlink is no longer the bitmain.com address but instead: https://shop.xn--bitmai-1eb.com/antminer_s9_asic_bitcoin_miner/
this is the phishing website https://imgur.com/a/TG2PJ
Doesn't this make moms and pops exposed to phishing attacks? Sure.... us 1337 hackers set it to true but what about average users?
Chrome, Firefox, Opera vulnerable to punycode related phishing attack: arstechnica article
How to fix (from article):
>People who use Chrome should install version 58 as soon as possible. Firefox users can protect themselves by entering "about:config" in the address bar and agreeing to the displayed warning. From there, enter "punycode" in the search box to bring up a line that reads network.IDN_show_punycode. Next, double-click the word "false" to change it to "true." From then on, Firefox will display the "dumb ascii" characters and not the deceptive, encoded ones. Besides Apple's Safari, Microsoft's Edge and Internet Explorer browsers are also not affected, at least as long as they don't have support for a Cyrillic language.
discussion about it on /r/webdev: https://www.reddit.com/r/webdev/comments/66mksc/chrome_firefox_and_opera_users_beware_this_isnt/
Hi,
I understand that people might want personal domains with special characters in domain names (if permitted) and or use punycode to achieve / encode special characters but is there any legitimate / business reason for a domain to have them ?
Surely businesses / genuine sites would want people to be able to type their domain address without resorting to keyboard contortions and not just have to click on links etc. ?
Combine that with the ever-increasing use of special characters that look like normal ascii characters (such as αΊ‘ αΊΉ α» ) in fake domains for phishing / malware attacks is there any reason not to create a regex entry to
a) block all punycode modified domains (containing xn--)
b) block any domains with non-ascii characters in them. Would you really notice not to click on goα»gle.com ?
I have already created a punycode block (waiting to see just how effective / active it is) but am now looking at non-ascii and am wondering if this is at all effective or necessary.
Just read about this on: https://www.ghacks.net/2017/04/17/punycode-phishing-attack-fools-even-die-hard-internet-veterans/
Would be nice if this was set to true by default? Would make the browser even a tad more secure. Just thinking out loud. I sure as hell couldnt see the difference between the characters, but was ever so obvious when the real url was shown when the option was set to true.
This is an automatic summary, original reduced by 70%.
> He warned, Hackers can use a known vulnerability in the Chrome, Firefox and Opera web browsers to display their fake domain names as the websites of legitimate services, like Apple, Google, or Amazon to steal login or financial credentials and other sensitive information from users.
> If your web browser is displaying "Apple.com" in the address bar secured with SSL, but the content on the page is coming from another server, then your browser is vulnerable to the homograph attack.
> Homograph attack has been known since 2001, but browser vendors have struggled to fix the problem.
> Punycode Phishing AttacksBy default, many web browsers use 'Punycode' encoding to represent Unicode characters in the URL to defend against such phishing attacks.
> This loophole allowed the researcher to register a domain name xn-80ak6aa92e.com which appears as "Apple.com" by all vulnerable web browsers, including Chrome, Firefox, and Opera, though Internet Explorer, Microsoft Edge, Apple Safari, Brave, and Vivaldi are not vulnerable.
> Millions of Internet users who are at risk of this sophisticated hard-to-detect phishing attack are recommended to disable Punycode support in their web browsers in order to temporarily mitigate this attack and identify such phishing domains.
Summary Source | FAQ | Theory | Feedback | Top five keywords: browser^#1 web^#2 attack^#3 character^#4 Punycode^#5
Post found in /r/technology and /r/realtech.
NOTICE: This thread is for discussing the submission topic. Please do not discuss the concept of the autotldr bot here.
I'm having issues with the script below. The script reads a txt file with a list of client URLs, the output of the script is an xml that gives basic information, basically telling us if the site is up, down, or needs to be checked manually. The problem is if the uri has a special character, the output shows the site as being down.
- I'm at my wits end with this and am hoping the hivemind can help. Thanks in advance.
Example URL that screws up: www.ι»η.com (fake and pulled from https://www.punycoder.com/)
Here is the frankenscript:
## The URI list to test, change this location to suit your needs
$URLListFile = "C:\PATH\TO\testsites.txt"
$URLList = Get-Content $URLListFile -ErrorAction SilentlyContinue
$Result = @()
Foreach($Uri in $URLList) {
public struct DnsNameRepresentation
$time = try{
$request = $null
## Request the URI, and measure how long the response took.
$result1 = Measure-Command { $request = Invoke-WebRequest -Uri $uri }
$result1.TotalSeconds
}
catch
{
<# If the request generated an exception (i.e.: 500 server
error or 404 not found), we can pull the status code from the
Exception.Response property #>
$request = $_.Exception.Response
$time = -1
}
$result += [PSCustomObject] @{
Time = Get-Date;
Uri = $uri;
StatusCode = [int] $request.StatusCode;
StatusDescription = $request.StatusDescription;
ResponseLength = [int] $request.RawContentLength;
TimeTaken = $time;
}
}
#Prepares report in HTML format
if($result -ne $null)
{
$Outputreport = "<HTML><TITLE>Website Availability Report</TITLE><BODY background-color:peachpuff><font color =""#99000"" face=""Microsoft Tai le""><H2> Website Availability Report </H2></font><Table border=1 cellpadding=0 cellspacing=0><TR bgcolor=gray align=center><TD> <B>URL</B></TD><TD><B>StatusCode</B></TD><TD><B>StatusDescription</B></TD><TD><B>ResponseLength (bytes) </B></TD><TD><B>TimeTaken</B></TD</TR>"
Foreach($Entry in $Result)
{
if($Entry.StatusCode -ne "200") {$Outputreport += " <TR bgcolor=red>"}
## Response length is in bytes, change tpunycode flaw is NOT fixed. it is january 2018, and reports said google had fixed the Chrome punycode flaw in april 2017, but it is definitely NOT fixed.
Google Chrome Google Chrome is up to date Version 63.0.3239.132 (Official Build) (64-bit)
The site I am on is a phishing attempt from a sponsored link in facebook made to look exactly like bitmain.com's actual website. chrome displays the hyperlink: https://shop.bitmain.com/antminer_s9_asic_bitcoin_miner/ If you copy that hyperlink from the address bar and paste it anywhere else, the hyperlink is no longer the familiar bitmain.com address but instead: https://shop.xn--bitmai-1eb.com/antminer_s9_asic_bitcoin_miner/
