RTL / LTR Scripts & Browser Gaps — How Attackers Hide Malicious URLs By CyberDudeBivash (Bivash Kumar Nayak)
cyberdudebivash.com | cyberbivash.blogspot.com | cryptobivash.code.blog TL;DR Attackers abuse Unicode bidirectional controls (e.g., RIGHT-TO-LEFT OVERRIDE U+202E), mixed-script homoglyphs, and browser rendering quirks to make malicious URLs look benign in addresses, filenames, emails and UIs. This allows silent phishing, file-name spoofing, and evasion of basic URL filtering. Defenders must normalize and inspect for invisible bidi characters, enforce IDN/punycode display rules, and add logging & detection for mixed-script URLs. How the trick works — short & precise Bidi override characters (U+202E, U+202A, etc.) change the visual order of text. Example: evilexe\u202Egnp.exe may render as exe.png to a user while the real filename is evilexegnp.exe . Mixed-script homoglyphs replace characters (e.g., Latin a with Cyrillic а ) so apple.com looks identical but the Unicode code points differ. Punycode / IDN tricks let attackers register domain names that vi...