2023-05-18

Homoglyph slashes in URL

Read a blog post, The Dangers of Google’s .zip TLD, from @bobbyrsec

TIL: "@" and "/" in URL redirection

URI

        userinfo   host  port
        ┌──┴──┐ ┌───┴──┐ ┌┴┐
https://[email protected]:123
└─┬─┘   └─────────┬────────┘
scheme      authority

Redirect examples

URL with @ operator: redirect to what comes after "@"

# URL with @ operator
https://[email protected]
        └───┬────┘ └───┬──┘
         userinfo     host
 
-> bing.com
# URL with @ operator, malicious intent
https://[email protected]
        └───┬───┘ └───┬──┘
         userinfo    host
 
-> evil.com 💀

Semantic attack example

ftp://cnn.example.com&story=[email protected]/top_story.htm

✅ Legitimate slash:

  • / [U+002F]

Homoglyph slashs:

  • ⁄ [U+2044]
  • ∕ [U+2215]
  • / [U+FF0F]
  • ⧸ [U+29F8]

Slash before "@" doesn't redirect to what comes after "@", but homoglyph slashes will redirect to what comes after "@".

 / [U+002F]
                 ┌┴┐
https://google.com/[email protected]
        └───────┬───────┘
           NOT userinfo
 
-> google.com
 [U+2215]
                 ┌┴┐
https://google.com∕[email protected]
        └───────┬───────┘ └───┬──┘
             userinfo        host
 
-> bing.com 💀