Smart Contract / Right-To-Left-Override Control Character (U+202e)
Description
Right-To-Left-Override control character (U+202E) is a vulnerability in the software code (SWC) that can allow an attacker to manipulate data. This vulnerability is also referred to as a Unicode Character Encoding Vulnerability and is categorized in the Common Weakness Enumeration (CWE) directory as CWE-202. In a Right-To-Left-Override attack, the vulnerability allows an attacker to reverse the order of the characters in a string of text by inserting the Unicode control character U+202E. This can allow an attacker to alter the meaning of the text, making it difficult to detect the malicious manipulation. The OWASP Testing Guide provides further information on the vulnerability and how to detect it.
Risk
Due to the nature of this vulnerability, it can lead to serious security issues in the software code. An attacker can easily use the Right-To-Left-Override attack to bypass authentication and authorization controls, allowing them to access sensitive data or execute malicious code within the system. As such, the vulnerability should be assessed during security testing and the risk should be evaluated.
Solution
The solution to the vulnerability is to ensure that the software code is using Unicode-safe strings and is properly validating user input. By making sure that all strings are Unicode-safe and user input is correctly validated, it ensures that any malicious manipulation of the data will be detected.
Example
The following example code shows a simple SWC contract that could be vulnerable to the Right-To-Left-Override attack. In this example, the contract contains a function called verifyName which is used to verify a user's identity.
contract SWC {
function verifyName(string name) public returns (bool isVerified) {
return (name == "John Doe");
}
}
If an attacker were to use the Right-To-Left-Override attack to manipulate the string John Doe, they could reverse the string to eoD nhoJ. This would cause the verifyName function to return true even if the user's name was not John Doe.