The complex landscape of Unicode provides many angles for exploiting software and end users. We've known about some of these for years, we've seen buffer overflows exploited because of faulty Unicode handling and we've seen homograph attacks in URL's. However, the real mysteries remain latent, unapparent to most software developers and even to the security testing community. This talk will raise awareness around interesting attack vectors and new areas of research into Unicode, as well as open people's eyes to the modern Visual Spoofing attacks of today. This talk will include demonstrations of several uncommon vulnerabilities/attack vectors, and will also include a tool release to assist in finding these issues. A separate Spoof-detection component will also be released to demonstrate how we can defend users against Visual Spoofing attacks.
Chris Weber is co-founder at Casaba Security where he's leading product development for new tools to assist in the field of Unicode and Web-application security. He has spent years focusing on software security testing for some of the world's leading software development companies and online properties. He's authored several security books, articles and presentations, and regularly speaks at industry conferences. He's worked as a security researcher and consultant for over a decade identifying hundreds of security vulnerabilities in many widely used products including Web browsers and Web-applications.