2023-05-18
Homoglyph slashes in URL
Read a blog post, The Dangers of Google’s .zip TLD, from @bobbyrsec
TIL: "@" and "/" in URL redirection
userinfo host port ┌──┴──┐ ┌───┴──┐ ┌┴┐ https://[email protected]:123 └─┬─┘ └─────────┬────────┘ scheme authority
Redirect examples
URL with @ operator: redirect to what comes after "@"
# URL with @ operator https://[email protected] └───┬────┘ └───┬──┘ userinfo host -> bing.com
# URL with @ operator, malicious intent https://[email protected] └───┬───┘ └───┬──┘ userinfo host -> evil.com 💀
Semantic attack example
ftp://cnn.example.com&[email protected]/top_story.htm
✅ Legitimate slash:
- / [U+002F]
- ⁄ [U+2044]
- ∕ [U+2215]
- / [U+FF0F]
- ⧸ [U+29F8]
Slash before "@" doesn't redirect to what comes after "@", but homoglyph slashes will redirect to what comes after "@".
✅ / [U+002F] ┌┴┐ https://google.com/[email protected] └───────┬───────┘ NOT userinfo -> google.com
❌ ∕ [U+2215] ┌┴┐ https://google.com∕[email protected] └───────┬───────┘ └───┬──┘ userinfo host -> bing.com 💀