Homoglyph slashes in URL

2023-05-18

Read a blog post, The Dangers of Google’s .zip TLD, from @bobbyrsec

TIL: "@" and "/" in URL redirection

        userinfo   host  port
        ┌──┴──┐ ┌───┴──┐ ┌┴┐
https://user.pw@host.com:123
└─┬─┘   └─────────┬────────┘
scheme      authority

Redirect examples

URL with @ operator: redirect to what comes after "@"

# URL with @ operator
https://google.com@bing.com
        └───┬────┘ └───┬──┘
         userinfo     host
 
-> bing.com

# URL with @ operator, malicious intent
https://legit.com@evil.com
        └───┬───┘ └───┬──┘
         userinfo    host
 
-> evil.com 💀

Semantic attack example

ftp://cnn.example.com&story=breaking_news@10.0.0.1/top_story.htm

✅ Legitimate slash:

/ [U+002F]

❌ Homoglyph slashs:

⁄ [U+2044]
∕ [U+2215]
／ [U+FF0F]
⧸ [U+29F8]

Slash before "@" doesn't redirect to what comes after "@", but homoglyph slashes will redirect to what comes after "@".

                ✅ / [U+002F]
                 ┌┴┐
https://google.com/search@bing.com
        └───────┬───────┘
           NOT userinfo
 
-> google.com

                ❌ ∕ [U+2215]
                 ┌┴┐
https://google.com∕search@bing.com
        └───────┬───────┘ └───┬──┘
             userinfo        host
 
-> bing.com 💀