Bypassing Homograph Attack Using `@` On Brave Browser

After a few month not hunting bug, and i want to hunt again. I read my previous report about Bypassing Homograph and look at the patch code. And I think I can bypass it, with some trick.

I see code on Brave Github patch on previous report, and with minimum programming skill try to bypassing homograph. I notice on their code is something like this. :

it('returns the punycode URL when given a valid URL', function () {
    assert.equal(urlUtil.getPunycodeUrl('http://brave:brave@ebа'), '')

I notice on url between @ , the URL after @ is containing punycode, and get return to ASCII , and my weird logic think if before @ the punycode it’s doesn’t return to ASCII,

And this is How I Reproduce it  :

This is punycode URL ebаа = .

Set it to homepage

Attempt : 
- ebаа it'll become = ebа 
- ebаа it'll become = xn--eby-7cd.xn--com/
- ebаа it'll become = ebа

And this is true before @ doesn’t return to ASCII ,  so to visit the link before @ i give / after punycode. So, when user input ebа user will redirect to :

Video :

And I report to Brave tim on Hackerone , you can see my report on : . The brave tim very fast when patching it. And i got rewarded with bounty. Yeay!

And I say thanks to them with some GIF because very fast reply and patching although there’s just minor bug.

This is the GIF

You can see the patching on their github also on :


Published by


Urip Kui Urup

One thought on “Bypassing Homograph Attack Using `@` On Brave Browser”

Leave a Reply

Your email address will not be published. Required fields are marked *