Unicode Normalization in Aspnet

Unicode normalization attacks in Aspnet often exploit the framework's handling of Unicode characters in routing, authentication, and data comparison operations. Aspnet's routing system can treat visually identical characters as distinct when they have different Unicode representations, creating opportunities for bypass attacks.

A common manifestation occurs in route parameter binding. Consider an Aspnet Core controller with a route like /users/{id}. An attacker can supply a user ID using a precomposed character (NFC) while the database stores the same identifier in decomposed form (NFD). Aspnet's model binding will treat these as different values, potentially exposing information about non-existent resources or triggering authorization bypasses.

[HttpGet("/users/{id}")]
public IActionResult GetUser(string id) {
    // If database stores 'é' as U+0065 U+0301 (NFD)
    // But request sends U+00E9 (NFC), these are different strings
    var user = _userRepository.FindById(id); // May return null
    return Ok(user ?? new User { Name = "Unknown" });
}

Authentication mechanisms in Aspnet are particularly vulnerable. When comparing passwords or API keys that contain Unicode characters, Aspnet's default string comparison can be case-sensitive and normalization-sensitive. An attacker can craft credentials using different Unicode representations to bypass authentication checks.

public bool ValidateCredentials(string username, string password) {
    var storedUser = _userRepository.FindByUsername(username);
    
    // Default comparison is case-sensitive and normalization-sensitive
    if (storedUser.Password != password) {
        return false; // May incorrectly reject valid credentials
    }
    
    return true;
}

Cross-site request forgery (CSRF) protection in Aspnet can also be compromised. The anti-CSRF tokens generated by Aspnet's IAntiforgery service are sensitive to Unicode normalization. If a form submission uses different Unicode normalization than what was used to generate the token, validation will fail, potentially causing denial of service or allowing bypass if error handling is improper.

URL parsing in Aspnet Core's routing middleware presents another attack surface. The framework's URL decoding process doesn't automatically normalize Unicode characters, allowing attackers to create multiple URLs that resolve to the same resource but are treated as distinct by Aspnet's routing logic.

Detecting Unicode normalization issues in Aspnet requires examining both the application code and runtime behavior. middleBrick's API security scanner includes specific checks for Aspnet applications that analyze how Unicode characters are handled throughout the request pipeline.

The scanner examines Aspnet route definitions and model binding configurations to identify endpoints vulnerable to normalization attacks. It tests route parameters by sending requests with different Unicode normal forms and observing how the application responds. For example, it will send both NFC and NFD versions of characters to see if they're treated as equivalent.

middleBrick specifically tests Aspnet's authentication and authorization mechanisms by attempting to authenticate with credentials that use different Unicode representations. It checks whether Aspnet's default string comparison operators are being used in security-critical contexts like password validation, API key comparison, and authorization checks.

# Scan an Aspnet API endpoint with middleBrick
middlebrick scan https://yourapi.com/api/users

# The scanner will test:
# - Route parameter handling with different Unicode forms
# - Authentication bypass attempts using normalization
# - Authorization checks for BOLA vulnerabilities
# - CSRF token validation with Unicode variations

The scanner also examines Aspnet's configuration files (appsettings.json, web.config) for Unicode-related settings and analyzes middleware pipeline configurations that might affect character handling. It specifically looks for Aspnet's built-in Unicode handling behaviors and identifies where developers might need to add explicit normalization.

For Aspnet Core applications, middleBrick checks the use of StringComparison options in security-sensitive comparisons, the configuration of route constraints, and the handling of URL parameters. It identifies patterns where Aspnet's default behavior could lead to security vulnerabilities due to inconsistent Unicode handling.

Remediating Unicode normalization issues in Aspnet requires implementing consistent normalization across all security-sensitive operations. Aspnet provides several approaches to address these vulnerabilities, leveraging both built-in framework features and .NET's Unicode handling capabilities.

The most effective approach is to normalize all input strings to a consistent form immediately upon receipt. In Aspnet Core, this can be implemented using action filters or model binding conventions that automatically normalize incoming parameters.

public class NormalizeInputFilter : IActionFilter {
    public void OnActionExecuting(ActionExecutingContext context) {
        foreach (var (key, value) in context.ActionArguments) {
            if (value is string stringValue) {
                context.ActionArguments[key] = NormalizeUnicode(stringValue);
            }
        }
    }
    
    public void OnActionExecuted(ActionExecutedContext context) { }
    
    private string NormalizeUnicode(string input) {
        return input.Normalize(NormalizationForm.FormC); // NFC
    }
}

// Apply globally in Startup.cs
services.AddControllers(options => {
    options.Filters.Add<NormalizeInputFilter>();
});

For authentication and authorization, Aspnet developers should use StringComparison.OrdinalIgnoreCase combined with explicit normalization when comparing sensitive strings. This ensures both case-insensitivity and normalization consistency.

public bool ValidateCredentials(string username, string password) {
    var normalizedUsername = username.Normalize(NormalizationForm.FormC);
    var normalizedPassword = password.Normalize(NormalizationForm.FormC);
    
    var storedUser = _userRepository.FindByUsername(normalizedUsername);
    
    if (storedUser == null) return false;
    
    // Use ordinal comparison with normalization
    if (!string.Equals(storedUser.Password, normalizedPassword, 
                      StringComparison.OrdinalIgnoreCase)) {
        return false;
    }
    
    return true;
}

Aspnet's model binding system can be extended to include Unicode normalization for route parameters and query strings. This ensures consistent handling before values reach controller actions.

For Aspnet Web Forms applications, the Globalization configuration in web.config can be used to enforce consistent Unicode handling across the application.

<system.web>
  <globalization requestEncoding="UTF-8" 
                responseEncoding="UTF-8" 
                fileEncoding="UTF-8" 
                culture="en-US" 
                uiCulture="en-US" />
</system.web>

middleBrick's Pro and Enterprise plans include continuous monitoring that can detect when Unicode normalization issues reappear in production, alerting developers when new endpoints are added without proper normalization safeguards.