d0ge
commented
6 days ago Hello @hansmach1ne, Thank you very much for your contribution to the URL Validation Bypass Cheat Sheet. I didn’t find any discrepancies with URL parsers in my testing environment. However, your work led to an interesting observation:
Multiple postfix dots can produce intriguing behavior:
- Browsers (Chrome and Safari): Both accept the domain
http://example.com.. - Safari: Cannot resolve
http://example.com.. - Only Ruby: Accepts the domain when using
URI.parse('http://example.com..')andResolv.getaddress()
Not sure if this is already present in the cheat sheet (didn't see it, ignore if present or can't be added).
If
portswigger.netis blacklisted and attacker still wants to reference the blacklisted URL,portswigger.net.(with a DOT postfix|es), can often be used, as it is RFC-compliant format. Sometimes by using this quirk, it can lead to unintended behaviors within apps.