Published: 29 October 2024 at 13:59 UTC
Updated: 22 November 2024 at 09:06 UTC
The strength of our URL Validation Bypass Cheat Sheet lies in the contributions from the web security community, and today’s update is no exception. We are excited to introduce a new and improved IP address calculator, inspired by @e1abrador's Encode IP Burp Suite Extension and many more.
In addition to the existing ways of representing an IPv4 address, we’ve added the following new formats, supported by Chrome, Firefox, Safari. For example, the cloud metadata IP address 169.254.169.254 can be represented in the following ways:
Partial Decimal (Class B) format combines the third and fourth parts of the IP address into a decimal number
Partial Decimal (Class A) format combines the second, third, and fourth parts of the IP address
Mixed Encodings: each segment of the IP address can be presented in different formats: hexadecimal, decimal, or octal. To keep our tool efficient, we don’t generate all possible combinations. Instead, we convert the first segment to hexadecimal, the second to decimal, and the last two segments to octal
The cheat sheet now also supports IPv6 addresses. When a valid IPv6 address is entered into the attacker’s hostname, the wordlist will be updated with the expanded form of the address. If the IPv6 address contains an embedded IPv4 address, the cheat sheet will extract it and generate all the previously mentioned formats. This behaviour can be disabled in the advanced settings.
Additionally, you can encode the resulting IP formats using special encodings like Circled Latin letters and numbers, Fullwidth Forms, or even Seven-segment display characters. To apply these, open the Advanced settings, go to Normalization settings, and select one or more encoding options.
We’ve added an intriguing new payload to our cheat sheet that targets discrepancies in userinfo parsing, submitted by @SeanPesce:
The “left square bracket” character [
in the userinfo segment can cause Spring’s
UriComponentsBuilder to return a hostname value that differs from how major
browsers interpret it. This discrepancy can potentially lead to
vulnerabilities such as open redirects or SSRF. While testing this payload
with our cheat sheet, I was also able to reproduce a separate
exploit
that was patched in the same
update. This is a perfect example of how our URL Validation Bypass Cheat Sheet
can be used to identify real-world vulnerabilities.
We’ve recently updated our CORS Bypass Cheat Sheet with new techniques, including an edge case related to localhost regex implementations and Safari-specific domain splitting attacks, submitted by @t0xodile. These updates address scenarios where attackers can manipulate domains using special characters to bypass validation checks. Examples include:
Make sure to follow us on X (formerly Twitter) @PortSwiggerRes to stay informed about our latest updates and new attack techniques.
A big thanks to the web security community for continuing to keep the URL Validation Bypass Cheat Sheet up to date with the latest techniques. If you’d like to contribute, feel free to raise an issue or submit a PR.