Closed R4356th closed 3 weeks ago
JorianWoltjer
commented
3 weeks ago Just checked using Shazzer, there's even a few more characters that have this same behaviour: https://shazzer.co.uk/vectors/66dff235dee60d631d11c60b
。 (U+3002). (U+FF0E)。 (U+FF61)
d0ge
commented
3 weeks ago Hello @R4356th @JorianWoltjer, Thank you very much for your contribution to the URL Validation Bypass Cheat Sheet. The application does support the normalization tricks you mentioned, including but not limited to U+3002, U+FF0E, and U+FF61. If you’d like to learn more, we’ll be hosting a hands-on session on our Discord where we’ll dive deeper into these techniques -https://discord.com/channels/1159124119074381945/1161285617519431752/1281625139112574976
Endpoints that support redirection to both relative and absolute paths usually cross-check the domain against an allow list in case of absolute paths, which is often accomplished by checking if the path has
.present along with other characteristics. This can be bypassed using the Chinese dot。. So even if a website blocks redirection to//evil.comit may still redirect to//evil%E3%80%82com, which is automatically normalised by browsers.