CWE-1007: Insufficient Visual Distinction of Homoglyphs Presented to User
CWE版本: 4.18
更新日期: 2025-09-09
弱点描述
The product displays information or identifiers to a user, but the display mechanism does not make it easy for the user to distinguish between visually similar or identical glyphs (homoglyphs), which may cause the user to misinterpret a glyph and perform an unintended, insecure action.
常见后果
影响范围: Integrity Confidentiality
技术影响: Other
说明: An attacker may ultimately redirect a user to a malicious website, by deceiving the user into believing the URL they are accessing is a trusted domain. However, the attack can also be used to forge log entries by using homoglyphs in usernames. Homoglyph manipulations are often the first step towards executing advanced attacks such as stealing a user's credentials, Cross-Site Scripting (XSS), or log forgery. If an attacker redirects a user to a malicious site, the attacker can mimic a trusted domain to steal account credentials and perform actions on behalf of the user, without the user's knowledge. Similarly, an attacker could create a username for a website that contains homoglyph characters, making it difficult for an admin to review logs and determine which users performed which actions.
潜在缓解措施
阶段: Implementation
阶段: Implementation
检测方法
方法: Manual Dynamic Analysis
If utilizing user accounts, attempt to submit a username that contains homoglyphs. Similarly, check to see if links containing homoglyphs can be sent via email, web browsers, or other mechanisms.
有效性: Moderate
观察示例
参考: CVE-2013-7236
web forum allows impersonation of users with homoglyphs in account names
参考: CVE-2012-0584
Improper character restriction in URLs in web browser
参考: CVE-2009-0652
Incomplete denylist does not include homoglyphs of "/" and "?" characters in URLs
参考: CVE-2017-5015
web browser does not convert hyphens to punycode, allowing IDN spoofing in URLs
参考: CVE-2005-0233
homoglyph spoofing using punycode in URLs and certificates
参考: CVE-2005-0234
homoglyph spoofing using punycode in URLs and certificates
参考: CVE-2005-0235
homoglyph spoofing using punycode in URLs and certificates
引入模式
| 阶段 | 说明 |
|---|---|
| Architecture and Design | This weakness may occur when characters from various character sets are allowed to be interchanged within a URL, username, email address, etc. without any notification to the user or underlying system being used. |
| Implementation | - |