Resources

People often ask me "How did you learn how to hack?" The answer: by reading. This page is a collection of the blog posts and other articles that I have accumulated over the years of my journey. Enjoy!

UI misrepresentation is an attack that is not commonly used but can be impactful, such as UI re-dress attack.

When a message in Signal, WhatsUp and other things contains a valid URL, then it is colored and marked as a hyperlink. However, this is printed to screen before sanitizing Unicode Control Characters, which results in URI spoofing via specially crafted messages.

RTLO (right to left) is a unicode control character that reverses the display of the text. In the case of iOS, WhatsUp and other things, we can trick users to click on a malicious link but make them believe the link is going somewhere else.

For example, use the RTLO character followed by a link such as gepj.net/selif#/moc.rugmi. However, after the RTLO does its thing in the display, the link is reversed into imgur.com/#files/ten.jpeg for the display. As a result, a user would think they are going to imgur.com when they are really going to gepj.net.

Overall, interesting finding that affected most platforms. Control characters are an important thing to consider while on a pentest.