πŸš€ Join our AI Wargame at Black Hat Asia and our Workshop + Wargame at NDC Sydney .

Typosquatting

Typosquatting happens when a user mistypes an input (e.g. URL, email, dependency package, etc.) and does not visually verify if it is correct. As a result, the user is directed to an adversary-controlled destination or may include a malicious dependency in their code. There are many varieties of typosquatting and a program should prevent them or warn the user.

Remediation:

  • Input Validation Strategy: Assume all input is malicious and use an "accept known good" input validation strategy. Reject any input that does not conform to specifications
  • When performing input validation, consider all potentially relevant properties including length, type, range of acceptable value, missing or extra inputs, syntax etc.
  • Inputs should be decoded and canonicalized to the application's current internal representation before being validated (link:CWE-180)
  • Make sure that the application does not decode the same input twice (link:CWE-174). Such errors could be used to bypass allow list validation schemes by introducing dangerous inputs after they have been checked.

Metadata

  • Severity: medium
  • Slug: typosquatting

CWEs

  • 176: Improper Handling of Unicode Encoding
  • 1007: Insufficient Visual Distinction of Homoglyphs Presented to User
Try it yourself

Find, Hack and Fix Your First Vulnerability

Reading about security bugs is one thing β€” fixing one is how the skill sticks. Play a free challenge from the wargame, no setup required.