Full Report
URLs are notoriously hard to parse. This article is a list of easy to try URL domain bypasses. This includes absolute URLs, CORS bypasses and weird host headers. The domains contain different encodings (URL encodings), classic parser differentials such as semi colons and https://\\ and usage of username/passwords in the URL. I had been writing a CTF challenge for the Spokane Cyber Cup. From this article, I found 3 bypasses for one of my challenges immediately. Solid techniques!
Analysis Summary
# Tool/Technique: URL Validation Bypass
## Overview
URL Validation Bypass is a post-exploitation or reconnaissance technique used to circumvent security filters that restrict outgoing or incoming web requests. These techniques exploit inconsistencies in how different URL parsers (e.g., in web servers, load balancers, and back-end applications) interpret standard and non-standard URL syntax. By successfully bypassing these filters, attackers can execute Server-Side Request Forgery (SSRF), manipulate Cross-Origin Resource Sharing (CORS) policies, or perform Open Redirections.
## Technical Details
- **Type:** Technique (Exploitation/Evasion)
- **Platform:** Web Applications (Platform independent)
- **Capabilities:** Bypassing denylists/allowlists, accessing internal metadata services, exfiltrating data via CORS, and redirecting users to malicious domains.
- **First Seen:** Continuous evolution; 2024 Edition updates reflect modern parser differentials.
## MITRE ATT&CK Mapping
- **TA0001 - Initial Access**
- **T1190 - Exploit Public-Facing Application**
- **TA0005 - Defense Evasion**
- **T1562 - Impair Defenses**
- **TA0010 - Exfiltration**
- **T1048 - Exfiltration Over Alternative Protocol** (via Web hooks)
## Functionality
### Core Capabilities
- **Parser Differential Exploitation:** Using characters like semicolons (`;`), backslashes (`\`), or null bytes to cause the security filter and the actual request requester to see two different destination hosts.
- **Encoding Obfuscation:** Utilizing URL encoding (double encoding, triple encoding) to hide restricted strings or IP addresses from simple regex filters.
- **Schema Manipulation:** Using absolute URLs or alternative protocol schemes to bypass logic that only checks for `http://` or `https://`.
### Advanced Features
- **Host Header Injection:** Using unconventional host headers (e.g., `X-Forwarded-Host`) or multiple Host headers to trick the application into trusting a malicious domain.
- **User-Info Exploitation:** Embedding credentials (`https://[email protected]`) to mislead filters that validate the beginning of a string.
- **CORS Origin Manipulation:** Crafting origins that look like the target domain (e.g., `target-domain.com.attacker.com`) to bypass weak regex matches.
## Indicators of Compromise
- **File Hashes:** N/A (Technique-based)
- **File Names:** N/A
- **Registry Keys:** N/A
- **Network Indicators:**
- Outbound requests to internal-only IP ranges: `http://127.0.0.1`, `http://169.254.169.254` (AWS/Cloud Metadata).
- Requests containing suspicious characters in the URL path: `%00`, `%0d%0a`, `..%2f`.
- Domains structured as `target-domain[.]attacker[.]com`.
- **Behavioral Indicators:**
- Sudden spikes in outbound requests from the web server to internal network assets.
- Web logs showing a high frequency of 403 (Forbidden) followed by a 200 (OK) with anomalous URL parameters.
## Associated Threat Actors
- **General Web Exploiters:** Broadly used by bug bounty hunters and penetration testers.
- **APT Groups:** Known to use SSRF to pivot into cloud infrastructure (e.g., **UNC2452** / SolarWinds attackers used similar pivoting logic).
- **Financially Motivated Actors:** Use open redirects for more convincing phishing campaigns.
## Detection Methods
- **Signature-based detection:** WAF rules targeting URL encoding patterns and internal CIDR blocks in request parameters.
- **Behavioral detection:** Monitoring for "Confused Deputy" behavior where a web server communicates with ports or services it does not typically interact with.
- **YARA Rules:**
- Use YARA-L or similar engine to flag logs containing `https://\\` or `@` symbols in unexpected URL parameter fields.
## Mitigation Strategies
- **Primary Prevention:** Implement a "Strict Allowlist" for domains and IP addresses rather than a denylist.
- **Hardening:**
- Use a single, well-vetted library for URL parsing across the entire stack to avoid differentials.
- Disable support for unused protocols (e.g., `file://`, `gopher://`, `ftp://`).
- Authenticate all internal service-to-service communication.
- **Architecture:** Deploy a dedicated egress proxy to filter outbound traffic from the application tier.
## Related Tools/Techniques
- **SSRF (Server-Side Request Forgery):** The primary vulnerability leveraged by these bypasses.
- **Open Redirection:** Using bypasses to send victims to phishing sites.
- **Burp Suite:** The industry-standard tool for testing and automating these bypass payloads.
- **Collaborator / Interaction Servers:** Used to verify a successful outbound bypass.