Feature request: Support unicode transformations (and especially emojis if you feel funny)

[floyd-fuh]

As discussed on https://twitter.com/floyd_ch/status/1561991748682915840

There are certain unicode characters that are sometimes turned into < or " or similar, meaning they are very nice examples of suspicious transformations that Backslash Powered Scanner checks for. Further details:

https://medium.com/@fpatrik/how-i-found-an-xss-vulnerability-via-using-emojis-7ad72de49209 https://medium.com/csg-govtech/weaponizing-unicode-for-fun-and-profit-e2ce24d594c6

Apparently there are a couple of software that behave differently when Unicode is used as well:

https://www.theguardian.com/technology/2014/jun/12/tweetdeck-vulnerability-teen-code-emoji-heart https://hackerone.com/reports/96337

As far as I see, backslash powered scanner uses \u escapes such as:

https://github.com/PortSwigger/backslash-powered-scanner/blob/master/src/burp/DiffingScan.java#L161

But does not directly use the "unicode in UTF-8" bytes (starting with something 0x7f).

I don't have much experience with which unicode chars would be a good start, I actually think it's a blind spot during my testing. So it would be nice if backslash powered scanner provides this.

Extracted from the above links on what I think would be useful:

• ſ always leads to I if uppercased. Nice to circumvent WAFs.
• а (U+0430) might lead to "a" or "A" if additionally uppercased. Nice to circumvent WAFs. Looks nearly identical.
• 👔 (U+1F454) might lead to d”Y’”
• 💋 might lead to <
• 💛 might lead to >

Maybe it would make sense to add them as unicode in UTF-8 bytes but maybe also \u escaped?