Unicode Security Guide

Welcome to the Unicode Security Guide! This guide has been designed to give Web application developers, software engineers, and application security researchers a reference for understanding Unicode-related security issues in operating systems, applications, and the Web.

The dynamics of Unicode, and character encodings in general, are often misunderstood or poorly implemented, and lead to an array of interesting if not catastrophic security vulnerabilities.

The content here has been sourced through testing, research, and the following two technical reports from the Unicode Consortium:

• Technical Report #36 : Unicode Security Considerations
• Technical Report #39 : Unicode Security Mechanisms

Beyond these two sources, further research has been ongoing around identifying and inventorying software behaviors. Test cases are being provided in the source code repository.

Contributions and Acknowledgements

Thank you to the following security-minded practitioners for their valuable feedback on this document:

• Bil Corry
• Abraham Kang

And the following for their research and documentation into the issues:

• Unicode Consortium
• Mark Davis
• Andy Heninger
• Richard Ishida
• Michael Kaplan
• Shawn Steele
• Yosuke HASEGAWA
• Eduardo Vela
• David Lindsay
• Gareth Heyes

Disclaimers

This guide has been written by application security professionals, and has not endorsed or reviewed by the Unicode Consortium. It does draw on material from the Consortium, with references, where applicable.