15 lines
780 B
Plaintext
15 lines
780 B
Plaintext
==== The trap of 'StartsWith' and equivalents
|
|
|
|
When validating untrusted URLs by checking if they start with a trusted scheme
|
|
and authority pair `scheme://authority`, **ensure that the validation string
|
|
contains a path separator `/` as the last character**. +
|
|
|
|
If the validation string does not contain a terminating path separator, the
|
|
Open Redirect vulnerability remains; only the exploitation technique
|
|
changes.
|
|
|
|
Thus, a validation like `startsWith("https://example.com")` or an equivalent
|
|
with the regex `^https://example\.com.*` can be exploited with the following
|
|
URL `\https://example.com.malicious.io`. The practice of taking over domains
|
|
that maliciously look like existing domains is widespread and is called
|
|
https://en.wikipedia.org/wiki/Cybersquatting[Cybersquatting]. |