d0ge
commented
3 weeks ago Thank you very much for your contribution to the URL validation bypass cheat sheet. Interestingly, when I tested this case at Chrome, it parse the string as valid URL using new URL constructor and a href, however the address bar disallow it. Other interesting observation, Chrome behaviour is different for the string http:/2130706433/arbitrary(same as https://portswigger.net/web-security/ssrf/url-validation-bypass-cheat-sheet#id=5d2743398cd2346eb0a4008174a817498c7f685e). This issue has a lot of potential. Thank you again for your support.
May I ask you to send me your handle on X.com (formerly Twitter.com)? Alternatively, I can use a link to your profile on GitHub if that’s more convenient for you.
Cheers!
hansmach1ne
http:/0/arbitrarycurl http:/0/arbitrarySupport for this will depend on the browser and context. Firefox will reference 0.0.0.0, while Chromium won't parse this as a valid URL. Also a lot of the server-side libraries will reference localhost here, such as curl.