You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
I welcome others to add additional links to additional vulnerabilities. Hopefully the whatwg can use these resources to learn about where inconsistencies between the current existing URL parsers cause security impact in real-world applications.
The text was updated successfully, but these errors were encountered:
JLLeitschuh
changed the title
HISTORY: URL Parsing Differences Between Implementations Security Issues
HISTORY & SECURITY: URL Parsing Differences Between Implementations Security Issues
Mar 28, 2023
You might also be interested in The Tangled Web: A Guide to Securing Modern Web Applications by Michal Zalewski. I'm pretty sure URL parsing is discussed, though it's been a while since I read it.
But yes, security is a large part of the reason to pursue this effort. Not sure anyone here needs convincing of that, but exploits do always make for interesting reading and sometimes inform necessary changes.
The goal of this thread is to capture, in a single location, all cases of where URL parsing due to differences in parsing has led to a security issue.
This was inspired by the work by Orange Tsai from 2016:
There has been more recent research into this topic by Claroty and Snyk:
I welcome others to add additional links to additional vulnerabilities. Hopefully the whatwg can use these resources to learn about where inconsistencies between the current existing URL parsers cause security impact in real-world applications.
The text was updated successfully, but these errors were encountered: