2023-05-18
Homoglyph slashes in URL
Read a blog post, The Dangers of Google’s .zip TLD, from @bobbyrsec
TIL: "@" and "/" in URL redirection
userinfo host port
┌──┴──┐ ┌───┴──┐ ┌┴┐
https://[email protected]:123
└─┬─┘ └─────────┬────────┘
scheme authority
Redirect examples
URL with @ operator: redirect to what comes after "@"
# URL with @ operator
https://[email protected]
└───┬────┘ └───┬──┘
userinfo host
-> bing.com
# URL with @ operator, malicious intent
https://[email protected]
└───┬───┘ └───┬──┘
userinfo host
-> evil.com 💀
Semantic attack example
ftp://cnn.example.com&story=[email protected]/top_story.htm
✅ Legitimate slash:
- / [U+002F]
- ⁄ [U+2044]
- ∕ [U+2215]
- / [U+FF0F]
- ⧸ [U+29F8]
Slash before "@" doesn't redirect to what comes after "@", but homoglyph slashes will redirect to what comes after "@".
✅ / [U+002F]
┌┴┐
https://google.com/[email protected]
└───────┬───────┘
NOT userinfo
-> google.com
❌ ∕ [U+2215]
┌┴┐
https://google.com∕[email protected]
└───────┬───────┘ └───┬──┘
userinfo host
-> bing.com 💀