![Fixxx](https://img-bb.cc/data/avatars/o/29/29801.jpg?1724280604"){kind=avatar}
Fixxx
Moderator
- Joined
- Aug 21, 2024
- Messages
- 972
- Reaction score
- 4,438
- Points
- 93
A new open-source and cross-platform tool called Tirith can detect homoglyph attacks over command-line environments by analyzing URLs in typed commands and stopping their execution. Available on GitHub and also as an npm package, the tool works by hooking into the user’s shell (zsh, bash, fish, PowerShell) and inspecting every command the user pastes for execution.
The idea is to block deceptive attacks that rely on URLs containing symbols from different alphabets that appear identical or nearly identical to the user but are treated as different characters by the computer (homoglyph attacks). This lets attackers create a domain names that looks the same as that of a legitimate brand but have one or more characters from a different alphabet. On the computer screen, the domain looks legitimate for the human eye, but machines interpret the anomalous character correctly and resolve the domain to the server controlled by the attacker. While browsers have addressed the issue, terminals continue to be susceptible as they can still render Unicode, ANSI escapes, and invisible characters, says Tirith's author, Sheeki, in the description of the tool. According to Sheeki, the Tirith can detect and block the following types of attack:
The creator assures that Tirith performs all analysis actions locally, without making any network calls, does not modify the user’s pasted commands, and does not run in the background. Also, it does not require cloud access or network, accounts, or API keys, and does not send any telemetry data to the creator. Tirith works on Windows, Linux, and macOS, and can be installed through Homebrew, apt/dnf, npm, Cargo, Nix, Scoop, Chocolatey, and Docker.
*URLs in commands look identical but are different.
The idea is to block deceptive attacks that rely on URLs containing symbols from different alphabets that appear identical or nearly identical to the user but are treated as different characters by the computer (homoglyph attacks). This lets attackers create a domain names that looks the same as that of a legitimate brand but have one or more characters from a different alphabet. On the computer screen, the domain looks legitimate for the human eye, but machines interpret the anomalous character correctly and resolve the domain to the server controlled by the attacker. While browsers have addressed the issue, terminals continue to be susceptible as they can still render Unicode, ANSI escapes, and invisible characters, says Tirith's author, Sheeki, in the description of the tool. According to Sheeki, the Tirith can detect and block the following types of attack:
- Homograph attacks (Unicode lookalike characters in domains, punycode, and mixed scripts)
- Terminal injection (ANSI escapes, bidi overrides, zero-width chars)
- Pipe-to-shell patterns (curl | bash, wget | sh, eval $(…))
- Dotfile hijacking (~/.bashrc, ~/.ssh/authorized_keys, etc.)
- Insecure transport (HTTP to shell, TLS disabled)
- Supply-chain risks (typosquatted git repos, untrusted Docker registries)
- Credential exposure (userinfo URLs, shorteners hiding destinations)
The creator assures that Tirith performs all analysis actions locally, without making any network calls, does not modify the user’s pasted commands, and does not run in the background. Also, it does not require cloud access or network, accounts, or API keys, and does not send any telemetry data to the creator. Tirith works on Windows, Linux, and macOS, and can be installed through Homebrew, apt/dnf, npm, Cargo, Nix, Scoop, Chocolatey, and Docker.