Closed hansmach1ne closed 6 days ago
Hello @hansmach1ne, Thank you very much for your contribution to the URL Validation Bypass Cheat Sheet. I didn’t find any discrepancies with URL parsers in my testing environment. However, your work led to an interesting observation:
Multiple postfix dots can produce intriguing behavior:
http://example.com..
http://example.com..
URI.parse('http://example.com..')
and Resolv.getaddress()
Not sure if this is already present in the cheat sheet (didn't see it, ignore if present or can't be added).
If
portswigger.net
is blacklisted and attacker still wants to reference the blacklisted URL,portswigger.net.
(with a DOT postfix|es), can often be used, as it is RFC-compliant format. Sometimes by using this quirk, it can lead to unintended behaviors within apps.