Unicode Transformation (Best-Fit Mapping)
Invicti identified a Unicode Transformation (Best-Fit Mapping).
A best-fit mapping occurs when one Unicode character is substituted by a similar looking character. This might happen, for example, if a Unicode string is converted to an ASCII string. Due to the vast differences in the amount of available characters, many encoding functions try to map complex Unicode characters to a similarly looking character in ASCII. Á becomes A, ò becomes o, and so on.
A best-fit mapping might affect your application in a negative way. First of all, it's possible that functions which are responsible for sanitizing user input by encoding or removing output context specific special characters are applied to the Unicode string before conversion.
Take the following string as example.
<img src = "x" onload = "alert(1)" >
If you feed this string to a function responsible for removing HTML opening tags nothing will be changed. This is due to the fact that the first character is not an actual opening tag but the Unicode character U+FF1C FULLWIDTH LESS-THAN SIGN < (URL encoded as %EF%BC%9C).
However, if the string is then passed to a function that converts it to ASCII by applying a best-fit mapping, the Unicode character will be converted to an actual opening tag. This will easily lead to an XSS vulnerability, or any other vulnerability that you try to prevent by encoding or removing specific special characters in general to bypass blacklist filters.
Additionally, an XSS vulnerability might be easier to exploit for an attacker, as the difference in input and output could confuse the inbuilt XSS filter of modern browsers. This will effectively prevent them from recognizing the Cross-site Scripting attacks as such.
If such a best-fit mapping is necessary for your application in order to function correctly, make sure that you apply functions that encode or remove special characters after you have converted the string, not prior to conversion. Additionally you should be aware that the built-in XSS filters of modern browsers might cease to work correctly if they are confronted with such a best-fit mapping. It is therefore strongly advised to implement Content-Security-Policy (CSP) properly in order to make up for the weakened client side security.