d0ge
commented
5 days ago Hello @t0xodile @tstOutpost24, Nice catch! Thank you for contribution to the URL validation bypass cheat sheet. For unknown reason i missed special characters { } ' during my testing. Regarding the currencies symbols, they not valid symbols for the Safari CORS wordlist, the browser will transform them into punycode before sending the request. However, there is a number of unicode characters that will be normalized before sending at the Origin header. You can get the advanced wordlist with following settings -> CORS -> Advanced -> Unicode normalization form -> Safari You also can reproduce my fuzzer logic with following script:
const safari = (start = 0x00, end = 0x10ffff) => {
for (let i = start; i <= end; i++) {
try {
let z = String.fromCodePoint(i);
if (/([a-zA-Z0-9])/.test(z)) {
continue;
}
const fuuu = `https://${z}.d4d.one/`;
let host = new URL(fuuu);
let h = host.hostname;
if (h.endsWith('.d4d.one')) {
const subdomain = h.substring(0, h.length - 8);
if (!/[a-zA-Z0-9]+/.test(subdomain)) {
console.log(i, z, fuuu, host.host);
}
}
} catch {}
}
}
t0xodile
Hello,
After a bit more testing, I found that these special chars are also valid in the Safari URL bar.
Most of these were mentioned here -> https://corben.io/blog/18-6-16-advanced-cors-techniques so I suspect this has already been tested for? I was using safari on my mobile so that may have influenced the result?
In any case, thought I'd submit a pull request just in case they had been missed.
P.S I hope I did the hashing correct. I had to use
echo -n 'undefined<allowed>.¥.<attacker>undefined' | sha1sum