URL Parsing

Specified by RFC3986, URL is composed of the beginning to the end: scheme (protocol used), authority (domain name), path, query, and fragment (access to the secondary resources). For example: 

ftp://ftp.is.co.za/rfc/rfc1808.txt
ldap://[2001:db8::7]/c=GB?objectClass?one
https://stackoverflow.com/questions/30997420/what-are-fragment-urls-and-why-to-use-them#30997598

All URLs should be terminated by “/”, “?”, “#" or end of line defined by the standard.

Due to the limitation and inconsistency of the standard, URL parsing is exposed to attacks from #202204161849. There are several libraries such as Advocate and SafeCurl try to improve the current state of URL parsing security.

Links to this page
  • Server-Side Request Forgery (SSRF)

    SSRF is an exploit using the *shortcoming of URL Parsing#* from the targeted server to access internal service, which should not be accessible from the outside world, by passing arbitrary commands to that service embedded with the URL parameter. The attacker could use the server as a proxy to request services from the supposedly internal processes. They could smuggle protocols such as SMTP, File Transfer Protocol (FTP), HTTP and Redis within the URL.

#networking #security #"