14 lines
606 B
Plaintext
14 lines
606 B
Plaintext
==== The trap of 'StartsWith' and equivalents
|
|
|
|
When validating untrusted URLs by checking if they start with a trusted scheme
|
|
and authority pair `scheme://authority`, **ensure that the validation string
|
|
contains a path separator `/` as the last character**. +
|
|
|
|
If the validation string does not contain a terminating path separator, the
|
|
SSRF vulnerability remains; only the exploitation technique changes.
|
|
|
|
Thus, a validation like `startsWith("https://example.com")` or an equivalent
|
|
with the regex `^https://example\.com.*` can be exploited with the following
|
|
URL `\https://example.commit.malicious.io`.
|
|
|