Lost in Translation: Exploiting Unicode Normalization
By Ryan Barnett & Isabella Barnett At Black Hat USA 2025 , my daughter and I had the privilege of presenting a topic that sits at the uncomfortable intersection of application security, text encoding, and real‑world defensive blind spots: Unicode normalization abuse . What started as a collection of “weird edge cases” has grown into a repeatable class of vulnerabilities that attackers actively use to bypass modern security controls, especially WAFs and input validation logic. This post distills the core ideas, examples, and lessons from our talk into a single narrative for defenders, bug bounty hunters, and anyone who handles untrusted text. References: Blackhat Video : https://www.youtube.com/watch?v=ETB2w-f3pM4 Slides: https://i.blackhat.com/BH-USA-25/Presentations/USA-25-Barnett-Lost-In-Translation-Exploiting-Unicode-compressed.pdf Why Unicode Still Breaks Security Logic Unicode was designed to be universal — to support every language, symbol, and writing sys...
