Szczegóły CWE-1007

CWE-1007

Insufficient Visual Distinction of Homoglyphs Presented to User
Średni
Incomplete
2017-11-08
00h00 +00:00
2025-12-11
00h00 +00:00
CWE Mitre.org
Powiadomienia dla konkretnego CWE
Bądź na bieżąco z wszelkimi zmianami dotyczącymi konkretnego CWE.
Zarządzaj powiadomieniami

Nazwa: Insufficient Visual Distinction of Homoglyphs Presented to User

The product displays information or identifiers to a user, but the display mechanism does not make it easy for the user to distinguish between visually similar or identical glyphs (homoglyphs), which may cause the user to misinterpret a glyph and perform an unintended, insecure action.

Informacje ogólne

Sposoby wprowadzenia

Architecture and Design : This weakness may occur when characters from various character sets are allowed to be interchanged within a URL, username, email address, etc. without any notification to the user or underlying system being used.
Implementation

Odpowiednie platformy

Język

Class: Not Language-Specific (Undetermined)

Technologie

Class: Not Technology-Specific (Undetermined)
Class: Web Based (Sometimes)

Typowe konsekwencje

Zakres Wpływ Prawdopodobieństwo
Integrity
Confidentiality		Other

Note: An attacker may ultimately redirect a user to a malicious website, by deceiving the user into believing the URL they are accessing is a trusted domain. However, the attack can also be used to forge log entries by using homoglyphs in usernames. Homoglyph manipulations are often the first step towards executing advanced attacks such as stealing a user's credentials, Cross-Site Scripting (XSS), or log forgery. If an attacker redirects a user to a malicious site, the attacker can mimic a trusted domain to steal account credentials and perform actions on behalf of the user, without the user's knowledge. Similarly, an attacker could create a username for a website that contains homoglyph characters, making it difficult for an admin to review logs and determine which users performed which actions.

Zaobserwowane przykłady

Odniesienia Opis

CVE-2013-7236

web forum allows impersonation of users with homoglyphs in account names

CVE-2012-0584

Improper character restriction in URLs in web browser

CVE-2009-0652

Incomplete denylist does not include homoglyphs of "/" and "?" characters in URLs

CVE-2017-5015

web browser does not convert hyphens to punycode, allowing IDN spoofing in URLs

CVE-2005-0233

homoglyph spoofing using punycode in URLs and certificates

CVE-2005-0234

homoglyph spoofing using punycode in URLs and certificates

CVE-2005-0235

homoglyph spoofing using punycode in URLs and certificates

Potencjalne środki zaradcze

Phases : Implementation
Phases : Implementation

Metody wykrywania

Manual Dynamic Analysis

If utilizing user accounts, attempt to submit a username that contains homoglyphs. Similarly, check to see if links containing homoglyphs can be sent via email, web browsers, or other mechanisms.
Skuteczność : Moderate

Uwagi dotyczące mapowania podatności

Uzasadnienie : This CWE entry is at the Base level of abstraction, which is a preferred level of abstraction for mapping to the root causes of vulnerabilities.
Komentarz : Carefully read both the name and description to ensure that this mapping is an appropriate fit. Do not try to 'force' a mapping to a lower-level Base/Variant simply to comply with this preferred level of abstraction.

Powiązane wzorce ataków

CAPEC-ID Nazwa wzorca ataku
CAPEC-632 Homograph Attack via Homoglyphs
An adversary registers a domain name containing a homoglyph, leading the registered domain to appear the same as a trusted domain. A homograph attack leverages the fact that different characters among various character sets look the same to the user. Homograph attacks must generally be combined with other attacks, such as phishing attacks, in order to direct Internet traffic to the adversary-controlled destinations.

Odniesienia

REF-7

Writing Secure Code
Michael Howard, David LeBlanc.
https://www.microsoftpressstore.com/store/writing-secure-code-9780735617223

REF-8

The 2011 IDN Homograph Attack Mitigation Survey
Gregory Baatard, Peter Hannay.
https://ro.ecu.edu.au/cgi/viewcontent.cgi?article=1174&context=ecuworks2012

Zgłoszenie

Nazwa Organizacja Data Data wydania Version
CWE Content Team MITRE 2017-07-24 +00:00 2017-11-08 +00:00 2.12

Modyfikacje

Nazwa Organizacja Data Komentarz
CWE Content Team MITRE 2018-03-27 +00:00 updated Demonstrative_Examples, Description, References
CWE Content Team MITRE 2019-01-03 +00:00 updated Demonstrative_Examples, Description, Related_Attack_Patterns
CWE Content Team MITRE 2020-02-24 +00:00 updated Applicable_Platforms, Relationships
CWE Content Team MITRE 2020-06-25 +00:00 updated Observed_Examples
CWE Content Team MITRE 2022-10-13 +00:00 updated Demonstrative_Examples
CWE Content Team MITRE 2023-01-31 +00:00 updated Demonstrative_Examples, Description, Related_Attack_Patterns
CWE Content Team MITRE 2023-04-27 +00:00 updated Relationships
CWE Content Team MITRE 2023-06-29 +00:00 updated Mapping_Notes
CWE Content Team MITRE 2025-09-09 +00:00 updated References
CWE Content Team MITRE 2025-12-11 +00:00 updated Applicable_Platforms
Informacje prezentowane na CVE Find pochodzą z kilku starannie wybranych źródeł referencyjnych. Dane CVE są dostarczane przez MITRE Corporation i Narodową Bazę Podatności (NVD). Katalog znanych eksploatowanych podatności (KEV) pochodzi z Agencji ds. Bezpieczeństwa Cyberprzestrzeni i Infrastruktury (CISA), natomiast wyniki EPSS pochodzą z FIRST.org. Ponadto dane dotyczące słabości oprogramowania (CWE) i typowych wzorców ataków (CAPEC) są utrzymywane przez MITRE Corporation, a informacje o konfiguracjach sprzętu i oprogramowania (CPE) są dostarczane przez NVD.