HIGH unicode normalizationflaskbasic auth

Unicode Normalization in Flask with Basic Auth

Scan for unicode normalization in flask

Unicode Normalization in Flask with Basic Auth — how this specific combination creates or exposes the vulnerability

Unicode normalization becomes a security concern in Flask when Basic Auth credentials are processed because user-controlled input in usernames or passwords may contain different Unicode representations of the same visual string. For example, the Latin small letter ß can be expressed as U+00DF (sharp s) or as the two-character sequence U+0073 U+0073 (ss). Similarly, characters with accents can be encoded in composed form (é as U+00E9) or decomposed form (e + combining acute accent). If Flask or underlying WSGI utilities do not normalize these values before comparison, an attacker can supply a visually identical but differently encoded credential that bypasses authentication checks.

In a Flask app that uses Basic Auth, the Authorization header is decoded and typically split on the colon to obtain username and password. Because the header is base64-encoded but not cryptographically signed, any normalization mismatch between the submitted credentials and the stored credentials can lead to authentication bypass. An attacker may log in as another user or escalate privileges without knowing the canonical representation of the password. This is especially relevant when usernames are treated as identifiers that map to roles or permissions, as a non-normalized username can map to a different internal account than intended.

These issues intersect with middleBrick’s 12 security checks. For example, the Authentication check can detect that different Unicode forms bypass login, while the Property Authorization check can surface cases where a normalized identity is mapped to excessive permissions. Because middleBrick scans the unauthenticated attack surface and tests OpenAPI specs alongside runtime behavior, it can identify inconsistencies between documented authentication schemes and actual normalization handling. The scanner does not fix the behavior, but its findings include remediation guidance to guide developers toward secure implementations.

Basic Auth-Specific Remediation in Flask — concrete code fixes

To prevent Unicode-based bypass in Flask with Basic Auth, normalize both incoming credentials and stored references using the same Unicode form before comparison. The standard approach is to apply NFC (or NFD, consistently) using Python’s unicodedata module. Additionally, use constant-time comparison to mitigate timing attacks, avoid leaking information via error messages, and ensure that the comparison logic does not rely on raw, unchecked input.

Example Flask route with secure handling:

import base64
import unicodedata
import hashlib
import hmac
from flask import Flask, request, Response

app = Flask(__name__)

# Normalization helper
ndef normalize_credential(value: str) -> str:
    return unicodedata.normalize('NFC', value)

# Constant-time comparison helper
def safe_compare(a: str, b: str) -> bool:
    return hmac.compare_digest(a.encode('utf-8'), b.encode('utf-8'))

# In-memory store using normalized usernames and hashed passwords
USERS = {
    normalize_credential('alice'): hashlib.sha256('correct-horse-battery-staple'.encode('utf-8')).hexdigest(),
    normalize_credential('bob'): hashlib.sha256('2fa2b7c8-3ba7-49b2-9c03-1e1f043c6a11'.encode('utf-8')).hexdigest(),
}

@app.route('/api/protected')
def protected():
    auth = request.headers.get('Authorization', '')
    if not auth.lower().startswith('basic '):
        return Response('Unauthorized', 401, {'WWW-Authenticate': 'Basic'})

    try:
        payload = base64.b64decode(auth.split(' ', 1)[1].strip())
        username, password = payload.decode('utf-8').split(':', 1)
    except Exception:
        return Response('Unauthorized', 401, {'WWW-Authenticate': 'Basic'})

    username_nfc = normalize_credential(username)
    password_nfc = normalize_credential(password)
    password_hash = hashlib.sha256(password_nfc.encode('utf-8')).hexdigest()

    expected_hash = USERS.get(username_nfc)
    if expected_hash is not None and safe_compare(password_hash, expected_hash):
        return Response('OK', 200)
    return Response('Forbidden', 403)

if __name__ == '__main__':
    app.run(debug=False)



This example demonstrates normalization of both username and password, secure storage via salted hashes (shown as SHA-256 for brevity; prefer a KDF in production), and constant-time comparison to reduce side-channel risks. In a CI/CD workflow, you can integrate the middlebrick CLI to scan endpoints and verify that such controls are present; the Pro plan supports continuous monitoring so that future changes triggering normalization or authentication regressions can be flagged automatically.


For teams using the Web Dashboard or MCP Server, findings related to authentication and property authorization are surfaced with severity and remediation guidance, enabling developers to address normalization issues before deployment. The scanner’s ability to resolve OpenAPI $ref definitions and cross-reference runtime behavior helps ensure that documented authentication schemes align with actual implementation.
Scan for unicode normalization in flask Free API security scan

Frequently Asked Questions

Can Unicode normalization bypass authentication even when passwords are hashed?
Yes. If the application normalizes the stored password hash but does not normalize the user-supplied username or password before hashing, an attacker can use a visually identical Unicode variant that hashes to a different value, causing authentication to fail or bypass depending on comparison logic.
Does enabling strict UTF-8 validation in Flask prevent these issues?
Strict UTF-8 validation ensures that input is valid Unicode, but it does not guarantee canonical equivalence. You must explicitly apply Unicode normalization (e.g., NFC) to both credentials and stored references to prevent bypass via different composition forms.

Related Pages

Unicode Normalization in FlaskUnicode normalization vulnerabilities in Flask applications can allow attackers to bypass authentication using visually Unicode Normalization with Basic AuthUnicode normalization in Basic Auth creates authentication bypasses through credential comparison flaws. Learn detectionUnicode Normalization in Flask on Fly IoUnderstand Unicode Normalization risks in Flask on Fly Io, with concrete WSGI and route-level code examples to enforce cUnicode Normalization in Flask on SupabaseUnicode normalization risks in Flask with Supabase: canonicalization bypasses, IDOR, and remediation with code examples.Unicode Normalization in Flask on RailwayUnicode normalization vulnerabilities in Flask on Railway: how mismatched normalization enables bypasses and how to remeHipaa: Unicode Normalization in FlaskHIPAA, Unicode normalization, and Flask: understand risks and implement canonicalization in request handling with concreGdpr: Unicode Normalization in FlaskGDPR and Unicode normalization in Flask: risks, canonicalization examples, and remediation guidance.Iso 27001: Unicode Normalization in FlaskExplore ISO 27001 controls for Unicode Normalization in Flask apps, with concrete remediation code examples and securityCis: Unicode Normalization in FlaskCis in Unicode Normalization with Flask: understand bypass risks and apply consistent NFC normalization in route handlinUnicode Normalization in Flask with FirestoreExplore Unicode normalization issues in Flask with Firestore, including how they create security risks and specific remeUnicode Normalization in Flask with DynamodbExplore Unicode normalization risks in Flask with DynamoDB, including BOLA/IDOR patterns and concrete remediation code uUnicode Normalization in Flask with CockroachdbExplore Unicode normalization risks in Flask with Cockroachdb, including authentication bypass and IDOR, with concrete r