Closed R4356th closed 3 weeks ago
Just checked using Shazzer, there's even a few more characters that have this same behaviour: https://shazzer.co.uk/vectors/66dff235dee60d631d11c60b
。
(U+3002).
(U+FF0E)。
(U+FF61)Hello @R4356th @JorianWoltjer, Thank you very much for your contribution to the URL Validation Bypass Cheat Sheet. The application does support the normalization tricks you mentioned, including but not limited to U+3002, U+FF0E, and U+FF61. If you’d like to learn more, we’ll be hosting a hands-on session on our Discord where we’ll dive deeper into these techniques -https://discord.com/channels/1159124119074381945/1161285617519431752/1281625139112574976
Endpoints that support redirection to both relative and absolute paths usually cross-check the domain against an allow list in case of absolute paths, which is often accomplished by checking if the path has
.
present along with other characteristics. This can be bypassed using the Chinese dot。
. So even if a website blocks redirection to//evil.com
it may still redirect to//evil%E3%80%82com
, which is automatically normalised by browsers.