homograph attack prevention by toASCII option

Question

Closed this issue 4 years ago · 1 comments

I am using quill-magic-url which uses normalize-url (and lets me pass in options through to it).

I am trying to figure out the best way in this setup to prevent homograph attack where a bad user enters something that looks like http://ebаy.com (hover over) but is actually linking to equivalent IDN (punycode): http://xn--eby-7cd.com
https://blog.blazeinfosec.com/what-you-see-is-not-what-you-get-when-homographs-attack/

I believe it might be ideal if the browser safe version of normalize-url optionally converted url to ascii format to prevent this.

import punycode from "punycode";
...
if(toASCII) {
punycode.toASCII(url);
}

Thoughts?

Answer 1 · 2020-04-25T05:35:54.000Z

This package already does this. I added a test to prove it: e69796d