ASS - ASCII Smuggling Surfacer

Detect invisible Unicode steganography & smuggling attacks in web pages

ASS (ASCII Smuggling Surfacer) scans web pages for invisible Unicode characters that are used to hide data inside ordinary-looking text. This includes prompt injection payloads, steganographic messages, and binary-encoded content hidden using techniques like Unicode Tags, Variation Selectors, and zero-width character sequences. ───────────────────────────────────── HOW TO USE ───────────────────────────────────── 1. Click the ASS icon in the browser toolbar. 2. Click "Scan This Page" in the popup. 3. Any invisible characters found are highlighted on the page with a colored glow. 4. Hover over a highlight to see the character name, code point, run length, and category. 5. Click a highlight to expand decoded text inline. 6. Click "Open Detail Panel" to open the full side panel report. ───────────────────────────────────── POPUP ───────────────────────────────────── After a scan, the popup shows: - Overall suspicion level (Info, Medium, High, or Critical) - A count per character category (e.g. Zero-Width, Unicode Tags, Variation Selectors) - A button to open the side panel for the full report ───────────────────────────────────── DETAIL PANEL ───────────────────────────────────── The side panel provides the full inspection report. It updates automatically when a scan completes and contains the following sections: SUMMARY Shows the suspicion level, the reason for that level, total invisible code point count, unique character count, longest consecutive run, and longest Unicode tag run. DECODED STRINGS Lists all decoded plaintext extracted from the page, grouped by encoding method (Unicode Tags, Variation Selectors, Dynamic Payload, etc.). DETECTION CARDS Each detected character or consecutive run is shown as a card with: - Character name and type - Number of consecutive characters in the run - Code point(s) - Decoded text (where applicable) - Surrounding text context - A "Highlight occurrence" button that scrolls the page to that detection EXPAND ALL / COLLAPSE ALL The "Expand All" button expands every inline decoded text block on the page at once. Clicking it again collapses them. EXPORT Results can be exported from the panel header menu in two formats: - JSON: full structured report - CSV: one row per detection ───────────────────────────────────── DYNAMIC PAYLOAD DECODER ───────────────────────────────────── Some hidden payloads encode binary data by using two different invisible characters to represent 0 and 1. The Dynamic Payload Decoder reconstructs and decodes these binary strings. To use it: 1. After a scan, open the detail panel. 2. In the Dynamic Payload Decoder section, use the two dropdowns to assign "Char 0" and "Char 1" from the detected characters. 3. The decoder groups consecutive runs of those characters into a binary string and attempts ASCII decoding. 4. Both the selected mapping (Configuration A) and its inverse (Configuration B) are shown. 5. Use the Flip button to swap the two assignments. If two character types account for more than 50% of the hidden content found, the decoder will auto-suggest them. The auto-suggest threshold is adjustable in settings. ───────────────────────────────────── DETECTION FILTER ───────────────────────────────────── The Detection Filter controls which character types are included in or excluded from scan results. To use it: 1. Type a character name or code point (e.g. "U+200B" or "zero-width") into the filter input. 2. Select a character from the dropdown to add a filter chip. 3. New chips default to Exclude mode, hiding that character type from results. 4. Click the toggle on a chip to cycle through: Exclude, Disabled, and Include. 5. Click × on a chip to remove it. Category-level toggles allow entire character groups to be included or excluded at once. Fuzzy search mode matches any word in any order against character names and code points. ───────────────────────────────────── SETTINGS ───────────────────────────────────── Auto-scan pages (default: off) Scans each page automatically when it loads. Detect NO-BREAK SPACE (default: off) Includes U+00A0 in scan results. Detect confusable spaces (default: off) Includes soft hyphen, various spacing quads, thin/hair space, braille blank, and hangul filler. Detect control characters - Cc (default: off) Includes all Unicode Cc category characters, excluding TAB, LF, and CR. Detect space separators - Zs (default: off) Includes all Unicode Zs category characters, excluding ASCII space. Sequence length filter (default: min 1, max 0) Restricts highlighted runs by length. Set a minimum to ignore short isolated characters, or a maximum to focus on short bursts. 0 means no upper limit. Highlight Style Controls the visual style of the glow overlay on detected characters. Visual Profile Sets the color theme for the side panel UI (Default or Hitchhiker's Guide). Auto-Hitchhiker (default: off) Automatically switches the panel to the Hitchhiker's Guide theme when the total code point count exceeds the configured threshold. HHG Threshold (default: 800) The number of invisible code points required to trigger auto-Hitchhiker mode. Fuzzy Search (default: on) Enables fuzzy word-order matching in the Detection Filter. ───────────────────────────────────── SUSPICION LEVELS ───────────────────────────────────── Critical (red): Longest consecutive run of 40 or more invisible characters. High (orange): Longest run of 10 or more, or more than 100 total sparse characters. Medium (yellow): 10 to 100 total invisible characters, sparse. Info (blue): Fewer than 10 total invisible characters. ───────────────────────────────────── DETECTED CHARACTER TYPES ───────────────────────────────────── Always detected: - Unicode Tags (U+E0000–U+E007F), decoded to ASCII - Zero-width characters: ZWSP, ZWNJ, ZWJ, Word Joiner, CGJ, ZWNBSP - Directional and Bidi marks: LRM, RLM, embeddings, overrides, isolates - Variation Selectors: VS1–VS16 (U+FE00–U+FE0F) and VS17–VS256 (U+E0100–U+E01EF) - Invisible mathematical operators: function application, invisible times, invisible separator, invisible plus - Deprecated format controls: U+206A–U+206F Detected when enabled in settings: - NO-BREAK SPACE: U+00A0 - Confusable spaces: soft hyphen, quads, thin/hair/narrow space, braille blank, hangul filler - Control characters (Cc): all Cc except TAB, LF, CR - Space separators (Zs): all Zs except ASCII space (U+0020) ───────────────────────────────────── PRIVACY ───────────────────────────────────── All processing runs locally in the browser. No data is sent to external servers. No analytics or telemetry is collected or transmitted. ───────────────────────────────────── TEST TOOL ───────────────────────────────────── To create pages with hidden characters for testing: https://embracethered.com/blog/ascii-smuggler.html