├── .github └── workflows │ └── node.js.yml ├── .gitignore ├── README.md ├── build.js ├── package-lock.json ├── package.json ├── schema.json ├── slides └── URL validation bypass cheat sheet.pptx.pdf └── src ├── cloud_metadata_endpoints.json ├── domain_allow_list_bypass.json ├── fake_relative_urls.json ├── ipv6.json ├── loopback.json └── url-spliting_unicode_characters.json /.github/workflows/node.js.yml: -------------------------------------------------------------------------------- 1 | # This workflow will do a clean installation of node dependencies, cache/restore them, build the source code and run tests across different versions of node 2 | # For more information see: https://docs.github.com/en/actions/automating-builds-and-tests/building-and-testing-nodejs 3 | 4 | name: Node.js CI 5 | 6 | on: 7 | push: 8 | branches: [ "main" ] 9 | pull_request: 10 | branches: [ "main" ] 11 | 12 | jobs: 13 | build: 14 | 15 | runs-on: ubuntu-latest 16 | 17 | strategy: 18 | matrix: 19 | node-version: [20.x, 22.x] 20 | # See supported Node.js release schedule at https://nodejs.org/en/about/releases/ 21 | 22 | steps: 23 | - uses: actions/checkout@v4 24 | - name: Use Node.js ${{ matrix.node-version }} 25 | uses: actions/setup-node@v4 26 | with: 27 | node-version: ${{ matrix.node-version }} 28 | cache: 'npm' 29 | - run: npm ci 30 | - run: npm run build --if-present 31 | - run: npm test 32 | -------------------------------------------------------------------------------- /.gitignore: -------------------------------------------------------------------------------- 1 | # Logs 2 | logs 3 | *.log 4 | npm-debug.log* 5 | yarn-debug.log* 6 | yarn-error.log* 7 | lerna-debug.log* 8 | .pnpm-debug.log* 9 | 10 | # Diagnostic reports (https://nodejs.org/api/report.html) 11 | report.[0-9]*.[0-9]*.[0-9]*.[0-9]*.json 12 | 13 | # Runtime data 14 | pids 15 | *.pid 16 | *.seed 17 | *.pid.lock 18 | 19 | # Directory for instrumented libs generated by jscoverage/JSCover 20 | lib-cov 21 | 22 | # Coverage directory used by tools like istanbul 23 | coverage 24 | *.lcov 25 | 26 | # nyc test coverage 27 | .nyc_output 28 | 29 | # Grunt intermediate storage (https://gruntjs.com/creating-plugins#storing-task-files) 30 | .grunt 31 | 32 | # Bower dependency directory (https://bower.io/) 33 | bower_components 34 | 35 | # node-waf configuration 36 | .lock-wscript 37 | 38 | # Compiled binary addons (https://nodejs.org/api/addons.html) 39 | build/Release 40 | 41 | # Dependency directories 42 | node_modules/ 43 | jspm_packages/ 44 | 45 | # Snowpack dependency directory (https://snowpack.dev/) 46 | web_modules/ 47 | 48 | # TypeScript cache 49 | *.tsbuildinfo 50 | 51 | # Optional npm cache directory 52 | .npm 53 | 54 | # Optional eslint cache 55 | .eslintcache 56 | 57 | # Optional stylelint cache 58 | .stylelintcache 59 | 60 | # Microbundle cache 61 | .rpt2_cache/ 62 | .rts2_cache_cjs/ 63 | .rts2_cache_es/ 64 | .rts2_cache_umd/ 65 | 66 | # Optional REPL history 67 | .node_repl_history 68 | 69 | # Output of 'npm pack' 70 | *.tgz 71 | 72 | # Yarn Integrity file 73 | .yarn-integrity 74 | 75 | # dotenv environment variable files 76 | .env 77 | .env.development.local 78 | .env.test.local 79 | .env.production.local 80 | .env.local 81 | 82 | # parcel-bundler cache (https://parceljs.org/) 83 | .cache 84 | .parcel-cache 85 | 86 | # Next.js build output 87 | .next 88 | out 89 | 90 | # Nuxt.js build / generate output 91 | .nuxt 92 | dist 93 | 94 | # Gatsby files 95 | .cache/ 96 | # Comment in the public line in if your project uses Gatsby and not Next.js 97 | # https://nextjs.org/blog/next-9-1#public-directory-support 98 | # public 99 | 100 | # vuepress build output 101 | .vuepress/dist 102 | 103 | # vuepress v2.x temp and cache directory 104 | .temp 105 | .cache 106 | 107 | # Docusaurus cache and generated files 108 | .docusaurus 109 | 110 | # Serverless directories 111 | .serverless/ 112 | 113 | # FuseBox cache 114 | .fusebox/ 115 | 116 | # DynamoDB Local files 117 | .dynamodb/ 118 | 119 | # TernJS port file 120 | .tern-port 121 | 122 | # Stores VSCode versions used for testing VSCode extensions 123 | .vscode-test 124 | 125 | # yarn v2 126 | .yarn/cache 127 | .yarn/unplugged 128 | .yarn/build-state.yml 129 | .yarn/install-state.gz 130 | .pnp.* 131 | 132 | # General 133 | .DS_Store 134 | .AppleDouble 135 | .LSOverride 136 | 137 | # Icon must end with two \r 138 | Icon 139 | 140 | 141 | # Thumbnails 142 | ._* 143 | 144 | # Files that might appear in the root of a volume 145 | .DocumentRevisions-V100 146 | .fseventsd 147 | .Spotlight-V100 148 | .TemporaryItems 149 | .Trashes 150 | .VolumeIcon.icns 151 | .com.apple.timemachine.donotpresent 152 | 153 | # Directories potentially created on remote AFP share 154 | .AppleDB 155 | .AppleDesktop 156 | Network Trash Folder 157 | Temporary Items 158 | .apdisk -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- 1 | # URL validation bypass cheat sheet data 2 | 3 | This is the data that powers the [PortSwigger URL validation bypass cheat sheet](https://portswigger.net/web-security/ssrf/url-validation-bypass-cheat-sheet). We have put this data on Github so the community can contribute vectors via pull requests. 4 | 5 | ## Contributing 6 | 7 | To contribute, please create a pull request with changes to the JSON data. 8 | 9 | For example, to add a new payload to the `domain_allow_list_bypass.json` file, use the following template: 10 | 11 | ```json 12 | { 13 | "id": "d82a33ae7aa92b0f1f1f5d71a24c0f1197da4e7a", 14 | "payload": ".", 15 | "description": ".", 16 | "tags": ["URL", "HOST", "CORS"], 17 | "filters": [] 18 | } 19 | ``` 20 | 21 | - The `id` should be a sha1 hash of the payload parameters: `${prefix}${payload}${suffix}`. 22 | - The `payload` may include template strings `` and ``, which will be replaced with corresponding domain names during wordlist generation. 23 | - The `description` property is not processed during execution. 24 | - The `tags` array should only include supported tags: URL, HOST, and CORS. 25 | - The `filters` array should remain empty as it is intended for future releases with advanced filtering options. 26 | 27 | Please make sure you search the data to ensure your vector hasn't already been added. The json schema validation file available at [schema.json](schema.json) 28 | Please include your Twitter handle in the pull request message if you would like to be credited with it. 29 | 30 | ## License 31 | 32 | The copyright for this project belongs to PortSwigger Web Security. We do not want this data to be used to create derivative cheat sheets hosted elsewhere, so we are not providing a license. That said, you are free to fork this repo in order to create pull requests back. 33 | -------------------------------------------------------------------------------- /build.js: -------------------------------------------------------------------------------- 1 | const fs = require('fs'); 2 | const path = require('path'); 3 | const util = require('util'); 4 | const Ajv = require('ajv/dist/2020'); 5 | const crypto = require('crypto'); 6 | 7 | const readdir = util.promisify(fs.readdir); 8 | const readFile = util.promisify(fs.readFile); 9 | const writeFile = util.promisify(fs.writeFile); 10 | 11 | const ROOT = './src/'; 12 | const SCHEMA_PATH = './schema.json'; 13 | const DIST_DIR = 'dist'; 14 | const DIST_FILE = 'Payloads.js'; 15 | 16 | function encodeUnicode(str) { 17 | return Array.from(str).map(char => { 18 | if (char.charCodeAt(0) < 128) return char; 19 | return `\\u${char.charCodeAt(0).toString(16).padStart(4, '0')}`; 20 | }).join(''); 21 | } 22 | 23 | function generateId(prefix, payload, suffix) { 24 | const hash = crypto.createHash('sha1'); 25 | hash.update(`${prefix}${payload}${suffix}`); 26 | return hash.digest('hex'); 27 | } 28 | 29 | async function validateWordlist(schemaValidator, filePath) { 30 | const content = await readFile(filePath, 'utf8'); 31 | const wordlist = JSON.parse(content); 32 | if (!schemaValidator(wordlist)) { 33 | throw new Error(`Validation failed for ${filePath}:\n${JSON.stringify(schemaValidator.errors, null, 2)}`); 34 | } 35 | return wordlist; 36 | } 37 | 38 | function checkUniqueIds(wordlists) { 39 | const idCounts = Array.from(wordlists.values()).flatMap(wl => wl.payloads).reduce((acc, { id }) => { 40 | acc[id] = (acc[id] || 0) + 1; 41 | return acc; 42 | }, {}); 43 | 44 | const nonUniqueIds = Object.keys(idCounts).filter(id => idCounts[id] > 1); 45 | if (nonUniqueIds.length > 0) { 46 | throw new Error(`Non-unique IDs found: ${nonUniqueIds.join(', ')}`); 47 | } 48 | } 49 | 50 | async function aggregateJson() { 51 | const ajv = new Ajv({ strict: false }); 52 | const schema = JSON.parse(fs.readFileSync(path.resolve(__dirname, SCHEMA_PATH), 'utf-8')); 53 | const validate = ajv.compile(schema); 54 | 55 | const payloadsDir = path.resolve(__dirname, ROOT); 56 | const files = await readdir(payloadsDir); 57 | let wordlists = new Map(); 58 | 59 | for (const file of files.filter(f => f.endsWith('.json'))) { 60 | const filePath = path.join(payloadsDir, file); 61 | const wordlist = await validateWordlist(validate, filePath); 62 | 63 | wordlist.payloads.forEach(element => { 64 | element.id = generateId(element.prefix, element.payload, element.suffix); 65 | }); 66 | let sorted = wordlist.payloads.sort((a,b) => a.payload.localeCompare(b.payload)); 67 | wordlist.payloads = sorted; 68 | 69 | wordlists.set(file, wordlist); 70 | } 71 | 72 | checkUniqueIds(wordlists); 73 | 74 | const distPath = path.join(__dirname, DIST_DIR); 75 | if (!fs.existsSync(distPath)) { 76 | fs.mkdirSync(distPath, { recursive: true }); 77 | } 78 | for (const [key, value] of wordlists) { 79 | await writeFile(path.join(distPath, key), encodeUnicode(JSON.stringify(value, null, 2))); 80 | } 81 | const output = `export const PAYLOADS = ${encodeUnicode(JSON.stringify(Array.from(wordlists.values()), null, 2))};`; 82 | await writeFile(path.join(distPath, DIST_FILE), output); 83 | console.log(`Aggregated JSON files into ${path.join(distPath, DIST_FILE)}`); 84 | } 85 | 86 | aggregateJson().catch(err => { 87 | console.error('Failed to aggregate JSON files:', err); 88 | process.exit(1); 89 | }); 90 | -------------------------------------------------------------------------------- /package-lock.json: -------------------------------------------------------------------------------- 1 | { 2 | "name": "url-cheatsheet-data", 3 | "version": "1.0.0", 4 | "lockfileVersion": 3, 5 | "requires": true, 6 | "packages": { 7 | "": { 8 | "name": "url-cheatsheet-data", 9 | "version": "1.0.0", 10 | "license": "The copyright for this project belongs to PortSwigger Web Security", 11 | "dependencies": { 12 | "ajv": "^8.17.1" 13 | }, 14 | "devDependencies": { 15 | "rimraf": "^6.0.1" 16 | } 17 | }, 18 | "node_modules/@isaacs/cliui": { 19 | "version": "8.0.2", 20 | "resolved": "https://registry.npmjs.org/@isaacs/cliui/-/cliui-8.0.2.tgz", 21 | "integrity": "sha512-O8jcjabXaleOG9DQ0+ARXWZBTfnP4WNAqzuiJK7ll44AmxGKv/J2M4TPjxjY3znBCfvBXFzucm1twdyFybFqEA==", 22 | "dev": true, 23 | "dependencies": { 24 | "string-width": "^5.1.2", 25 | "string-width-cjs": "npm:string-width@^4.2.0", 26 | "strip-ansi": "^7.0.1", 27 | "strip-ansi-cjs": "npm:strip-ansi@^6.0.1", 28 | "wrap-ansi": "^8.1.0", 29 | "wrap-ansi-cjs": "npm:wrap-ansi@^7.0.0" 30 | }, 31 | "engines": { 32 | "node": ">=12" 33 | } 34 | }, 35 | "node_modules/@pkgjs/parseargs": { 36 | "version": "0.11.0", 37 | "resolved": "https://registry.npmjs.org/@pkgjs/parseargs/-/parseargs-0.11.0.tgz", 38 | "integrity": "sha512-+1VkjdD0QBLPodGrJUeqarH8VAIvQODIbwh9XpP5Syisf7YoQgsJKPNFoqqLQlu+VQ/tVSshMR6loPMn8U+dPg==", 39 | "dev": true, 40 | "optional": true, 41 | "engines": { 42 | "node": ">=14" 43 | } 44 | }, 45 | "node_modules/ajv": { 46 | "version": "8.17.1", 47 | "resolved": "https://registry.npmjs.org/ajv/-/ajv-8.17.1.tgz", 48 | "integrity": "sha512-B/gBuNg5SiMTrPkC+A2+cW0RszwxYmn6VYxB/inlBStS5nx6xHIt/ehKRhIMhqusl7a8LjQoZnjCs5vhwxOQ1g==", 49 | "dependencies": { 50 | "fast-deep-equal": "^3.1.3", 51 | "fast-uri": "^3.0.1", 52 | "json-schema-traverse": "^1.0.0", 53 | "require-from-string": "^2.0.2" 54 | }, 55 | "funding": { 56 | "type": "github", 57 | "url": "https://github.com/sponsors/epoberezkin" 58 | } 59 | }, 60 | "node_modules/ansi-regex": { 61 | "version": "6.0.1", 62 | "resolved": "https://registry.npmjs.org/ansi-regex/-/ansi-regex-6.0.1.tgz", 63 | "integrity": "sha512-n5M855fKb2SsfMIiFFoVrABHJC8QtHwVx+mHWP3QcEqBHYienj5dHSgjbxtC0WEZXYt4wcD6zrQElDPhFuZgfA==", 64 | "dev": true, 65 | "engines": { 66 | "node": ">=12" 67 | }, 68 | "funding": { 69 | "url": "https://github.com/chalk/ansi-regex?sponsor=1" 70 | } 71 | }, 72 | "node_modules/ansi-styles": { 73 | "version": "6.2.1", 74 | "resolved": "https://registry.npmjs.org/ansi-styles/-/ansi-styles-6.2.1.tgz", 75 | "integrity": "sha512-bN798gFfQX+viw3R7yrGWRqnrN2oRkEkUjjl4JNn4E8GxxbjtG3FbrEIIY3l8/hrwUwIeCZvi4QuOTP4MErVug==", 76 | "dev": true, 77 | "engines": { 78 | "node": ">=12" 79 | }, 80 | "funding": { 81 | "url": "https://github.com/chalk/ansi-styles?sponsor=1" 82 | } 83 | }, 84 | "node_modules/balanced-match": { 85 | "version": "1.0.2", 86 | "resolved": "https://registry.npmjs.org/balanced-match/-/balanced-match-1.0.2.tgz", 87 | "integrity": "sha512-3oSeUO0TMV67hN1AmbXsK4yaqU7tjiHlbxRDZOpH0KW9+CeX4bRAaX0Anxt0tx2MrpRpWwQaPwIlISEJhYU5Pw==", 88 | "dev": true 89 | }, 90 | "node_modules/brace-expansion": { 91 | "version": "2.0.1", 92 | "resolved": "https://registry.npmjs.org/brace-expansion/-/brace-expansion-2.0.1.tgz", 93 | "integrity": "sha512-XnAIvQ8eM+kC6aULx6wuQiwVsnzsi9d3WxzV3FpWTGA19F621kwdbsAcFKXgKUHZWsy+mY6iL1sHTxWEFCytDA==", 94 | "dev": true, 95 | "dependencies": { 96 | "balanced-match": "^1.0.0" 97 | } 98 | }, 99 | "node_modules/color-convert": { 100 | "version": "2.0.1", 101 | "resolved": "https://registry.npmjs.org/color-convert/-/color-convert-2.0.1.tgz", 102 | "integrity": "sha512-RRECPsj7iu/xb5oKYcsFHSppFNnsj/52OVTRKb4zP5onXwVF3zVmmToNcOfGC+CRDpfK/U584fMg38ZHCaElKQ==", 103 | "dev": true, 104 | "dependencies": { 105 | "color-name": "~1.1.4" 106 | }, 107 | "engines": { 108 | "node": ">=7.0.0" 109 | } 110 | }, 111 | "node_modules/color-name": { 112 | "version": "1.1.4", 113 | "resolved": "https://registry.npmjs.org/color-name/-/color-name-1.1.4.tgz", 114 | "integrity": "sha512-dOy+3AuW3a2wNbZHIuMZpTcgjGuLU/uBL/ubcZF9OXbDo8ff4O8yVp5Bf0efS8uEoYo5q4Fx7dY9OgQGXgAsQA==", 115 | "dev": true 116 | }, 117 | "node_modules/cross-spawn": { 118 | "version": "7.0.3", 119 | "resolved": "https://registry.npmjs.org/cross-spawn/-/cross-spawn-7.0.3.tgz", 120 | "integrity": "sha512-iRDPJKUPVEND7dHPO8rkbOnPpyDygcDFtWjpeWNCgy8WP2rXcxXL8TskReQl6OrB2G7+UJrags1q15Fudc7G6w==", 121 | "dev": true, 122 | "dependencies": { 123 | "path-key": "^3.1.0", 124 | "shebang-command": "^2.0.0", 125 | "which": "^2.0.1" 126 | }, 127 | "engines": { 128 | "node": ">= 8" 129 | } 130 | }, 131 | "node_modules/eastasianwidth": { 132 | "version": "0.2.0", 133 | "resolved": "https://registry.npmjs.org/eastasianwidth/-/eastasianwidth-0.2.0.tgz", 134 | "integrity": "sha512-I88TYZWc9XiYHRQ4/3c5rjjfgkjhLyW2luGIheGERbNQ6OY7yTybanSpDXZa8y7VUP9YmDcYa+eyq4ca7iLqWA==", 135 | "dev": true 136 | }, 137 | "node_modules/emoji-regex": { 138 | "version": "9.2.2", 139 | "resolved": "https://registry.npmjs.org/emoji-regex/-/emoji-regex-9.2.2.tgz", 140 | "integrity": "sha512-L18DaJsXSUk2+42pv8mLs5jJT2hqFkFE4j21wOmgbUqsZ2hL72NsUU785g9RXgo3s0ZNgVl42TiHp3ZtOv/Vyg==", 141 | "dev": true 142 | }, 143 | "node_modules/fast-deep-equal": { 144 | "version": "3.1.3", 145 | "resolved": "https://registry.npmjs.org/fast-deep-equal/-/fast-deep-equal-3.1.3.tgz", 146 | "integrity": "sha512-f3qQ9oQy9j2AhBe/H9VC91wLmKBCCU/gDOnKNAYG5hswO7BLKj09Hc5HYNz9cGI++xlpDCIgDaitVs03ATR84Q==" 147 | }, 148 | "node_modules/fast-uri": { 149 | "version": "3.0.1", 150 | "resolved": "https://registry.npmjs.org/fast-uri/-/fast-uri-3.0.1.tgz", 151 | "integrity": "sha512-MWipKbbYiYI0UC7cl8m/i/IWTqfC8YXsqjzybjddLsFjStroQzsHXkc73JutMvBiXmOvapk+axIl79ig5t55Bw==" 152 | }, 153 | "node_modules/foreground-child": { 154 | "version": "3.2.1", 155 | "resolved": "https://registry.npmjs.org/foreground-child/-/foreground-child-3.2.1.tgz", 156 | "integrity": "sha512-PXUUyLqrR2XCWICfv6ukppP96sdFwWbNEnfEMt7jNsISjMsvaLNinAHNDYyvkyU+SZG2BTSbT5NjG+vZslfGTA==", 157 | "dev": true, 158 | "dependencies": { 159 | "cross-spawn": "^7.0.0", 160 | "signal-exit": "^4.0.1" 161 | }, 162 | "engines": { 163 | "node": ">=14" 164 | }, 165 | "funding": { 166 | "url": "https://github.com/sponsors/isaacs" 167 | } 168 | }, 169 | "node_modules/glob": { 170 | "version": "11.0.0", 171 | "resolved": "https://registry.npmjs.org/glob/-/glob-11.0.0.tgz", 172 | "integrity": "sha512-9UiX/Bl6J2yaBbxKoEBRm4Cipxgok8kQYcOPEhScPwebu2I0HoQOuYdIO6S3hLuWoZgpDpwQZMzTFxgpkyT76g==", 173 | "dev": true, 174 | "dependencies": { 175 | "foreground-child": "^3.1.0", 176 | "jackspeak": "^4.0.1", 177 | "minimatch": "^10.0.0", 178 | "minipass": "^7.1.2", 179 | "package-json-from-dist": "^1.0.0", 180 | "path-scurry": "^2.0.0" 181 | }, 182 | "bin": { 183 | "glob": "dist/esm/bin.mjs" 184 | }, 185 | "engines": { 186 | "node": "20 || >=22" 187 | }, 188 | "funding": { 189 | "url": "https://github.com/sponsors/isaacs" 190 | } 191 | }, 192 | "node_modules/is-fullwidth-code-point": { 193 | "version": "3.0.0", 194 | "resolved": "https://registry.npmjs.org/is-fullwidth-code-point/-/is-fullwidth-code-point-3.0.0.tgz", 195 | "integrity": "sha512-zymm5+u+sCsSWyD9qNaejV3DFvhCKclKdizYaJUuHA83RLjb7nSuGnddCHGv0hk+KY7BMAlsWeK4Ueg6EV6XQg==", 196 | "dev": true, 197 | "engines": { 198 | "node": ">=8" 199 | } 200 | }, 201 | "node_modules/isexe": { 202 | "version": "2.0.0", 203 | "resolved": "https://registry.npmjs.org/isexe/-/isexe-2.0.0.tgz", 204 | "integrity": "sha512-RHxMLp9lnKHGHRng9QFhRCMbYAcVpn69smSGcq3f36xjgVVWThj4qqLbTLlq7Ssj8B+fIQ1EuCEGI2lKsyQeIw==", 205 | "dev": true 206 | }, 207 | "node_modules/jackspeak": { 208 | "version": "4.0.1", 209 | "resolved": "https://registry.npmjs.org/jackspeak/-/jackspeak-4.0.1.tgz", 210 | "integrity": "sha512-cub8rahkh0Q/bw1+GxP7aeSe29hHHn2V4m29nnDlvCdlgU+3UGxkZp7Z53jLUdpX3jdTO0nJZUDl3xvbWc2Xog==", 211 | "dev": true, 212 | "dependencies": { 213 | "@isaacs/cliui": "^8.0.2" 214 | }, 215 | "engines": { 216 | "node": "20 || >=22" 217 | }, 218 | "funding": { 219 | "url": "https://github.com/sponsors/isaacs" 220 | }, 221 | "optionalDependencies": { 222 | "@pkgjs/parseargs": "^0.11.0" 223 | } 224 | }, 225 | "node_modules/json-schema-traverse": { 226 | "version": "1.0.0", 227 | "resolved": "https://registry.npmjs.org/json-schema-traverse/-/json-schema-traverse-1.0.0.tgz", 228 | "integrity": "sha512-NM8/P9n3XjXhIZn1lLhkFaACTOURQXjWhV4BA/RnOv8xvgqtqpAX9IO4mRQxSx1Rlo4tqzeqb0sOlruaOy3dug==" 229 | }, 230 | "node_modules/lru-cache": { 231 | "version": "11.0.0", 232 | "resolved": "https://registry.npmjs.org/lru-cache/-/lru-cache-11.0.0.tgz", 233 | "integrity": "sha512-Qv32eSV1RSCfhY3fpPE2GNZ8jgM9X7rdAfemLWqTUxwiyIC4jJ6Sy0fZ8H+oLWevO6i4/bizg7c8d8i6bxrzbA==", 234 | "dev": true, 235 | "engines": { 236 | "node": "20 || >=22" 237 | } 238 | }, 239 | "node_modules/minimatch": { 240 | "version": "10.0.1", 241 | "resolved": "https://registry.npmjs.org/minimatch/-/minimatch-10.0.1.tgz", 242 | "integrity": "sha512-ethXTt3SGGR+95gudmqJ1eNhRO7eGEGIgYA9vnPatK4/etz2MEVDno5GMCibdMTuBMyElzIlgxMna3K94XDIDQ==", 243 | "dev": true, 244 | "dependencies": { 245 | "brace-expansion": "^2.0.1" 246 | }, 247 | "engines": { 248 | "node": "20 || >=22" 249 | }, 250 | "funding": { 251 | "url": "https://github.com/sponsors/isaacs" 252 | } 253 | }, 254 | "node_modules/minipass": { 255 | "version": "7.1.2", 256 | "resolved": "https://registry.npmjs.org/minipass/-/minipass-7.1.2.tgz", 257 | "integrity": "sha512-qOOzS1cBTWYF4BH8fVePDBOO9iptMnGUEZwNc/cMWnTV2nVLZ7VoNWEPHkYczZA0pdoA7dl6e7FL659nX9S2aw==", 258 | "dev": true, 259 | "engines": { 260 | "node": ">=16 || 14 >=14.17" 261 | } 262 | }, 263 | "node_modules/package-json-from-dist": { 264 | "version": "1.0.0", 265 | "resolved": "https://registry.npmjs.org/package-json-from-dist/-/package-json-from-dist-1.0.0.tgz", 266 | "integrity": "sha512-dATvCeZN/8wQsGywez1mzHtTlP22H8OEfPrVMLNr4/eGa+ijtLn/6M5f0dY8UKNrC2O9UCU6SSoG3qRKnt7STw==", 267 | "dev": true 268 | }, 269 | "node_modules/path-key": { 270 | "version": "3.1.1", 271 | "resolved": "https://registry.npmjs.org/path-key/-/path-key-3.1.1.tgz", 272 | "integrity": "sha512-ojmeN0qd+y0jszEtoY48r0Peq5dwMEkIlCOu6Q5f41lfkswXuKtYrhgoTpLnyIcHm24Uhqx+5Tqm2InSwLhE6Q==", 273 | "dev": true, 274 | "engines": { 275 | "node": ">=8" 276 | } 277 | }, 278 | "node_modules/path-scurry": { 279 | "version": "2.0.0", 280 | "resolved": "https://registry.npmjs.org/path-scurry/-/path-scurry-2.0.0.tgz", 281 | "integrity": "sha512-ypGJsmGtdXUOeM5u93TyeIEfEhM6s+ljAhrk5vAvSx8uyY/02OvrZnA0YNGUrPXfpJMgI1ODd3nwz8Npx4O4cg==", 282 | "dev": true, 283 | "dependencies": { 284 | "lru-cache": "^11.0.0", 285 | "minipass": "^7.1.2" 286 | }, 287 | "engines": { 288 | "node": "20 || >=22" 289 | }, 290 | "funding": { 291 | "url": "https://github.com/sponsors/isaacs" 292 | } 293 | }, 294 | "node_modules/require-from-string": { 295 | "version": "2.0.2", 296 | "resolved": "https://registry.npmjs.org/require-from-string/-/require-from-string-2.0.2.tgz", 297 | "integrity": "sha512-Xf0nWe6RseziFMu+Ap9biiUbmplq6S9/p+7w7YXP/JBHhrUDDUhwa+vANyubuqfZWTveU//DYVGsDG7RKL/vEw==", 298 | "engines": { 299 | "node": ">=0.10.0" 300 | } 301 | }, 302 | "node_modules/rimraf": { 303 | "version": "6.0.1", 304 | "resolved": "https://registry.npmjs.org/rimraf/-/rimraf-6.0.1.tgz", 305 | "integrity": "sha512-9dkvaxAsk/xNXSJzMgFqqMCuFgt2+KsOFek3TMLfo8NCPfWpBmqwyNn5Y+NX56QUYfCtsyhF3ayiboEoUmJk/A==", 306 | "dev": true, 307 | "dependencies": { 308 | "glob": "^11.0.0", 309 | "package-json-from-dist": "^1.0.0" 310 | }, 311 | "bin": { 312 | "rimraf": "dist/esm/bin.mjs" 313 | }, 314 | "engines": { 315 | "node": "20 || >=22" 316 | }, 317 | "funding": { 318 | "url": "https://github.com/sponsors/isaacs" 319 | } 320 | }, 321 | "node_modules/shebang-command": { 322 | "version": "2.0.0", 323 | "resolved": "https://registry.npmjs.org/shebang-command/-/shebang-command-2.0.0.tgz", 324 | "integrity": "sha512-kHxr2zZpYtdmrN1qDjrrX/Z1rR1kG8Dx+gkpK1G4eXmvXswmcE1hTWBWYUzlraYw1/yZp6YuDY77YtvbN0dmDA==", 325 | "dev": true, 326 | "dependencies": { 327 | "shebang-regex": "^3.0.0" 328 | }, 329 | "engines": { 330 | "node": ">=8" 331 | } 332 | }, 333 | "node_modules/shebang-regex": { 334 | "version": "3.0.0", 335 | "resolved": "https://registry.npmjs.org/shebang-regex/-/shebang-regex-3.0.0.tgz", 336 | "integrity": "sha512-7++dFhtcx3353uBaq8DDR4NuxBetBzC7ZQOhmTQInHEd6bSrXdiEyzCvG07Z44UYdLShWUyXt5M/yhz8ekcb1A==", 337 | "dev": true, 338 | "engines": { 339 | "node": ">=8" 340 | } 341 | }, 342 | "node_modules/signal-exit": { 343 | "version": "4.1.0", 344 | "resolved": "https://registry.npmjs.org/signal-exit/-/signal-exit-4.1.0.tgz", 345 | "integrity": "sha512-bzyZ1e88w9O1iNJbKnOlvYTrWPDl46O1bG0D3XInv+9tkPrxrN8jUUTiFlDkkmKWgn1M6CfIA13SuGqOa9Korw==", 346 | "dev": true, 347 | "engines": { 348 | "node": ">=14" 349 | }, 350 | "funding": { 351 | "url": "https://github.com/sponsors/isaacs" 352 | } 353 | }, 354 | "node_modules/string-width": { 355 | "version": "5.1.2", 356 | "resolved": "https://registry.npmjs.org/string-width/-/string-width-5.1.2.tgz", 357 | "integrity": "sha512-HnLOCR3vjcY8beoNLtcjZ5/nxn2afmME6lhrDrebokqMap+XbeW8n9TXpPDOqdGK5qcI3oT0GKTW6wC7EMiVqA==", 358 | "dev": true, 359 | "dependencies": { 360 | "eastasianwidth": "^0.2.0", 361 | "emoji-regex": "^9.2.2", 362 | "strip-ansi": "^7.0.1" 363 | }, 364 | "engines": { 365 | "node": ">=12" 366 | }, 367 | "funding": { 368 | "url": "https://github.com/sponsors/sindresorhus" 369 | } 370 | }, 371 | "node_modules/string-width-cjs": { 372 | "name": "string-width", 373 | "version": "4.2.3", 374 | "resolved": "https://registry.npmjs.org/string-width/-/string-width-4.2.3.tgz", 375 | "integrity": "sha512-wKyQRQpjJ0sIp62ErSZdGsjMJWsap5oRNihHhu6G7JVO/9jIB6UyevL+tXuOqrng8j/cxKTWyWUwvSTriiZz/g==", 376 | "dev": true, 377 | "dependencies": { 378 | "emoji-regex": "^8.0.0", 379 | "is-fullwidth-code-point": "^3.0.0", 380 | "strip-ansi": "^6.0.1" 381 | }, 382 | "engines": { 383 | "node": ">=8" 384 | } 385 | }, 386 | "node_modules/string-width-cjs/node_modules/ansi-regex": { 387 | "version": "5.0.1", 388 | "resolved": "https://registry.npmjs.org/ansi-regex/-/ansi-regex-5.0.1.tgz", 389 | "integrity": "sha512-quJQXlTSUGL2LH9SUXo8VwsY4soanhgo6LNSm84E1LBcE8s3O0wpdiRzyR9z/ZZJMlMWv37qOOb9pdJlMUEKFQ==", 390 | "dev": true, 391 | "engines": { 392 | "node": ">=8" 393 | } 394 | }, 395 | "node_modules/string-width-cjs/node_modules/emoji-regex": { 396 | "version": "8.0.0", 397 | "resolved": "https://registry.npmjs.org/emoji-regex/-/emoji-regex-8.0.0.tgz", 398 | "integrity": "sha512-MSjYzcWNOA0ewAHpz0MxpYFvwg6yjy1NG3xteoqz644VCo/RPgnr1/GGt+ic3iJTzQ8Eu3TdM14SawnVUmGE6A==", 399 | "dev": true 400 | }, 401 | "node_modules/string-width-cjs/node_modules/strip-ansi": { 402 | "version": "6.0.1", 403 | "resolved": "https://registry.npmjs.org/strip-ansi/-/strip-ansi-6.0.1.tgz", 404 | "integrity": "sha512-Y38VPSHcqkFrCpFnQ9vuSXmquuv5oXOKpGeT6aGrr3o3Gc9AlVa6JBfUSOCnbxGGZF+/0ooI7KrPuUSztUdU5A==", 405 | "dev": true, 406 | "dependencies": { 407 | "ansi-regex": "^5.0.1" 408 | }, 409 | "engines": { 410 | "node": ">=8" 411 | } 412 | }, 413 | "node_modules/strip-ansi": { 414 | "version": "7.1.0", 415 | "resolved": "https://registry.npmjs.org/strip-ansi/-/strip-ansi-7.1.0.tgz", 416 | "integrity": "sha512-iq6eVVI64nQQTRYq2KtEg2d2uU7LElhTJwsH4YzIHZshxlgZms/wIc4VoDQTlG/IvVIrBKG06CrZnp0qv7hkcQ==", 417 | "dev": true, 418 | "dependencies": { 419 | "ansi-regex": "^6.0.1" 420 | }, 421 | "engines": { 422 | "node": ">=12" 423 | }, 424 | "funding": { 425 | "url": "https://github.com/chalk/strip-ansi?sponsor=1" 426 | } 427 | }, 428 | "node_modules/strip-ansi-cjs": { 429 | "name": "strip-ansi", 430 | "version": "6.0.1", 431 | "resolved": "https://registry.npmjs.org/strip-ansi/-/strip-ansi-6.0.1.tgz", 432 | "integrity": "sha512-Y38VPSHcqkFrCpFnQ9vuSXmquuv5oXOKpGeT6aGrr3o3Gc9AlVa6JBfUSOCnbxGGZF+/0ooI7KrPuUSztUdU5A==", 433 | "dev": true, 434 | "dependencies": { 435 | "ansi-regex": "^5.0.1" 436 | }, 437 | "engines": { 438 | "node": ">=8" 439 | } 440 | }, 441 | "node_modules/strip-ansi-cjs/node_modules/ansi-regex": { 442 | "version": "5.0.1", 443 | "resolved": "https://registry.npmjs.org/ansi-regex/-/ansi-regex-5.0.1.tgz", 444 | "integrity": "sha512-quJQXlTSUGL2LH9SUXo8VwsY4soanhgo6LNSm84E1LBcE8s3O0wpdiRzyR9z/ZZJMlMWv37qOOb9pdJlMUEKFQ==", 445 | "dev": true, 446 | "engines": { 447 | "node": ">=8" 448 | } 449 | }, 450 | "node_modules/which": { 451 | "version": "2.0.2", 452 | "resolved": "https://registry.npmjs.org/which/-/which-2.0.2.tgz", 453 | "integrity": "sha512-BLI3Tl1TW3Pvl70l3yq3Y64i+awpwXqsGBYWkkqMtnbXgrMD+yj7rhW0kuEDxzJaYXGjEW5ogapKNMEKNMjibA==", 454 | "dev": true, 455 | "dependencies": { 456 | "isexe": "^2.0.0" 457 | }, 458 | "bin": { 459 | "node-which": "bin/node-which" 460 | }, 461 | "engines": { 462 | "node": ">= 8" 463 | } 464 | }, 465 | "node_modules/wrap-ansi": { 466 | "version": "8.1.0", 467 | "resolved": "https://registry.npmjs.org/wrap-ansi/-/wrap-ansi-8.1.0.tgz", 468 | "integrity": "sha512-si7QWI6zUMq56bESFvagtmzMdGOtoxfR+Sez11Mobfc7tm+VkUckk9bW2UeffTGVUbOksxmSw0AA2gs8g71NCQ==", 469 | "dev": true, 470 | "dependencies": { 471 | "ansi-styles": "^6.1.0", 472 | "string-width": "^5.0.1", 473 | "strip-ansi": "^7.0.1" 474 | }, 475 | "engines": { 476 | "node": ">=12" 477 | }, 478 | "funding": { 479 | "url": "https://github.com/chalk/wrap-ansi?sponsor=1" 480 | } 481 | }, 482 | "node_modules/wrap-ansi-cjs": { 483 | "name": "wrap-ansi", 484 | "version": "7.0.0", 485 | "resolved": "https://registry.npmjs.org/wrap-ansi/-/wrap-ansi-7.0.0.tgz", 486 | "integrity": "sha512-YVGIj2kamLSTxw6NsZjoBxfSwsn0ycdesmc4p+Q21c5zPuZ1pl+NfxVdxPtdHvmNVOQ6XSYG4AUtyt/Fi7D16Q==", 487 | "dev": true, 488 | "dependencies": { 489 | "ansi-styles": "^4.0.0", 490 | "string-width": "^4.1.0", 491 | "strip-ansi": "^6.0.0" 492 | }, 493 | "engines": { 494 | "node": ">=10" 495 | }, 496 | "funding": { 497 | "url": "https://github.com/chalk/wrap-ansi?sponsor=1" 498 | } 499 | }, 500 | "node_modules/wrap-ansi-cjs/node_modules/ansi-regex": { 501 | "version": "5.0.1", 502 | "resolved": "https://registry.npmjs.org/ansi-regex/-/ansi-regex-5.0.1.tgz", 503 | "integrity": "sha512-quJQXlTSUGL2LH9SUXo8VwsY4soanhgo6LNSm84E1LBcE8s3O0wpdiRzyR9z/ZZJMlMWv37qOOb9pdJlMUEKFQ==", 504 | "dev": true, 505 | "engines": { 506 | "node": ">=8" 507 | } 508 | }, 509 | "node_modules/wrap-ansi-cjs/node_modules/ansi-styles": { 510 | "version": "4.3.0", 511 | "resolved": "https://registry.npmjs.org/ansi-styles/-/ansi-styles-4.3.0.tgz", 512 | "integrity": "sha512-zbB9rCJAT1rbjiVDb2hqKFHNYLxgtk8NURxZ3IZwD3F6NtxbXZQCnnSi1Lkx+IDohdPlFp222wVALIheZJQSEg==", 513 | "dev": true, 514 | "dependencies": { 515 | "color-convert": "^2.0.1" 516 | }, 517 | "engines": { 518 | "node": ">=8" 519 | }, 520 | "funding": { 521 | "url": "https://github.com/chalk/ansi-styles?sponsor=1" 522 | } 523 | }, 524 | "node_modules/wrap-ansi-cjs/node_modules/emoji-regex": { 525 | "version": "8.0.0", 526 | "resolved": "https://registry.npmjs.org/emoji-regex/-/emoji-regex-8.0.0.tgz", 527 | "integrity": "sha512-MSjYzcWNOA0ewAHpz0MxpYFvwg6yjy1NG3xteoqz644VCo/RPgnr1/GGt+ic3iJTzQ8Eu3TdM14SawnVUmGE6A==", 528 | "dev": true 529 | }, 530 | "node_modules/wrap-ansi-cjs/node_modules/string-width": { 531 | "version": "4.2.3", 532 | "resolved": "https://registry.npmjs.org/string-width/-/string-width-4.2.3.tgz", 533 | "integrity": "sha512-wKyQRQpjJ0sIp62ErSZdGsjMJWsap5oRNihHhu6G7JVO/9jIB6UyevL+tXuOqrng8j/cxKTWyWUwvSTriiZz/g==", 534 | "dev": true, 535 | "dependencies": { 536 | "emoji-regex": "^8.0.0", 537 | "is-fullwidth-code-point": "^3.0.0", 538 | "strip-ansi": "^6.0.1" 539 | }, 540 | "engines": { 541 | "node": ">=8" 542 | } 543 | }, 544 | "node_modules/wrap-ansi-cjs/node_modules/strip-ansi": { 545 | "version": "6.0.1", 546 | "resolved": "https://registry.npmjs.org/strip-ansi/-/strip-ansi-6.0.1.tgz", 547 | "integrity": "sha512-Y38VPSHcqkFrCpFnQ9vuSXmquuv5oXOKpGeT6aGrr3o3Gc9AlVa6JBfUSOCnbxGGZF+/0ooI7KrPuUSztUdU5A==", 548 | "dev": true, 549 | "dependencies": { 550 | "ansi-regex": "^5.0.1" 551 | }, 552 | "engines": { 553 | "node": ">=8" 554 | } 555 | } 556 | } 557 | } 558 | -------------------------------------------------------------------------------- /package.json: -------------------------------------------------------------------------------- 1 | { 2 | "name": "url-cheatsheet-data", 3 | "version": "1.0.0", 4 | "description": "URL validation bypass cheat sheet data", 5 | "main": "index.js", 6 | "scripts": { 7 | "clean": "rimraf ./dist", 8 | "build": "npm run clean && node build.js", 9 | "test": "echo \"Error: no test specified\" && exit 0" 10 | }, 11 | "repository": { 12 | "type": "git", 13 | "url": "git+https://github.com/PortSwigger/url-cheatsheet-data.git" 14 | }, 15 | "keywords": [ 16 | "cheat", 17 | "sheet" 18 | ], 19 | "author": "Zakhar Fedotkin", 20 | "license": "The copyright for this project belongs to PortSwigger Web Security", 21 | "bugs": { 22 | "url": "https://github.com/PortSwigger/url-cheatsheet-data/issues" 23 | }, 24 | "homepage": "https://github.com/PortSwigger/url-cheatsheet-data#readme", 25 | "dependencies": { 26 | "ajv": "^8.17.1" 27 | }, 28 | "devDependencies": { 29 | "rimraf": "^6.0.1" 30 | } 31 | } 32 | -------------------------------------------------------------------------------- /schema.json: -------------------------------------------------------------------------------- 1 | { 2 | "$schema": "https://json-schema.org/draft/2020-12/schema", 3 | "$id": "https://portswigger.net/", 4 | "title": "Payload", 5 | "description": "URL validation bypass cheat sheet payload schema file", 6 | "type": "object", 7 | "properties": { 8 | "name": { 9 | "description": "Wordlist name", 10 | "type": "string" 11 | }, 12 | "payloads": { 13 | "description": "Payloads for the wordlist", 14 | "type": "array", 15 | "items": { 16 | "type": "object", 17 | "properties": { 18 | "id": { 19 | "description": "The unique identifier for a product", 20 | "type": "string" 21 | }, 22 | "payload": { 23 | "description": "Payload string, templates and can be used to be replaced with user values", 24 | "type": "string" 25 | }, 26 | "description": { 27 | "description": "Payload description", 28 | "type": "string" 29 | }, 30 | "prefix": { 31 | "description": "Payload prefix: schema", 32 | "type": "string" 33 | }, 34 | "suffix": { 35 | "description": "Payload suffix: path", 36 | "type": "string" 37 | }, 38 | "port": { 39 | "description": "URL port", 40 | "type": "integer" 41 | }, 42 | "tags": { 43 | "description": "Tags for the payload", 44 | "type": "array", 45 | "items": { 46 | "enum": ["URL", "HOST", "CORS"] 47 | } 48 | }, 49 | "filters": { 50 | "description": "Filters for the payload", 51 | "type": "array", 52 | "items": { 53 | "type": "string" 54 | } 55 | } 56 | } 57 | }, 58 | "required": ["id", "payload", "description", "tags"] 59 | } 60 | }, 61 | "required": ["name", "payloads"] 62 | } 63 | -------------------------------------------------------------------------------- /slides/URL validation bypass cheat sheet.pptx.pdf: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/PortSwigger/url-cheatsheet-data/9d454aee990f8cadd5fd121c0ae21b7d4b64b300/slides/URL validation bypass cheat sheet.pptx.pdf -------------------------------------------------------------------------------- /src/cloud_metadata_endpoints.json: -------------------------------------------------------------------------------- 1 | { 2 | "name": "Cloud metadata endpoints", 3 | "payloads": [ 4 | { 5 | "payload": "::FFFF:169.254.169.254", 6 | "prefix": "http://", 7 | "suffix": "/latest/meta-data/", 8 | "description": "IPv4 inside IPv6 representation of 169.254.169.254", 9 | "filters": [], 10 | "tags": ["URL", "HOST"], 11 | "id": "bd636e84a2c71da7fe1f1f13c11c9ae566e120de" 12 | }, 13 | { 14 | "payload": "[::FFFF:169.254.169.254]", 15 | "prefix": "http://", 16 | "suffix": "/latest/meta-data/", 17 | "description": "IPv4 inside IPv6 representation of 169.254.169.254", 18 | "filters": [], 19 | "tags": ["URL", "HOST"], 20 | "id": "d352abb83fec3a1773269884f002b597fb09e4f4" 21 | }, 22 | { 23 | "payload": "[::\ufb00\ufb00:A9FE:A9FE]", 24 | "prefix": "http://", 25 | "suffix": "/latest/meta-data/", 26 | "description": "Latin Small Ligature Ff [::FFFF:A9FE:A9FE]", 27 | "filters": [], 28 | "tags": ["URL", "HOST"], 29 | "id": "5ca09f9651a39f32fef785914354aeacb3880776" 30 | }, 31 | { 32 | "payload": "[::FFFF:A9FE:A9FE]", 33 | "prefix": "http://", 34 | "suffix": "/latest/meta-data/", 35 | "description": "IPv6 representation of 169.254.169.254", 36 | "filters": [], 37 | "tags": ["URL", "HOST"], 38 | "id": "0be6987d241b20a23e3a79dfd50132f316ffb1f7" 39 | }, 40 | { 41 | "payload": "[0:0:0:0:0:\ufb00\ufb00:169.254.169.254]", 42 | "prefix": "http://", 43 | "suffix": "/latest/meta-data/", 44 | "description": "Latin Small Ligature Ff [0:0:0:0:0:FFFF:169.254.169.254]", 45 | "filters": [], 46 | "tags": ["URL", "HOST"], 47 | "id": "ed6207ac50c89c390c04d3b3aaea61823ea11dd6" 48 | }, 49 | { 50 | "payload": "[0:0:0:0:0:FFFF:A9FE:A9FE]", 51 | "prefix": "http://", 52 | "suffix": "/latest/meta-data/", 53 | "description": "Expanded form of [::FFFF:A9FE:A9FE]", 54 | "filters": [], 55 | "tags": ["URL", "HOST"], 56 | "id": "16de66644409c8702be229cae22a0a50262b893c" 57 | }, 58 | { 59 | "payload": "[FD00:EC2::254]", 60 | "prefix": "http://", 61 | "suffix": "/latest/meta-data/", 62 | "description": "AWS EC2 IPv6 address https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/instancedata-data-retrieval.html", 63 | "filters": [], 64 | "tags": ["URL", "HOST"], 65 | "id": "cd81218bf46d4b52310acf6c5888e60858c7b398" 66 | }, 67 | { 68 | "payload": "0251.0376.0251.0376", 69 | "prefix": "http://", 70 | "suffix": "/latest/meta-data/", 71 | "description": "Octal IP of 169.254.169.254", 72 | "filters": [], 73 | "tags": ["URL", "HOST"], 74 | "id": "f5e91dbf51bd94979cbe25df8e9c3a533431a314" 75 | }, 76 | { 77 | "payload": "0x1A9FEA9FE", 78 | "prefix": "http://", 79 | "suffix": "/latest/meta-data/", 80 | "description": "Hexadecimal IP of 169.254.169.254 with overflow", 81 | "filters": [], 82 | "tags": ["URL", "HOST"], 83 | "id": "50a2bf96e6c8a3c46377030a182c77090b7e415d" 84 | }, 85 | { 86 | "payload": "0xA9.0xFE.0xA9.0xFE", 87 | "prefix": "http://", 88 | "suffix": "/latest/meta-data/", 89 | "description": "Hexadecimal IP of 169.254.169.254", 90 | "filters": [], 91 | "tags": ["URL", "HOST"], 92 | "id": "a2f3cc5c8f8d932182dc6ece6612390c8baeabf6" 93 | }, 94 | { 95 | "payload": "0xA9.254.0251.0376", 96 | "prefix": "http://", 97 | "suffix": "/latest/meta-data/", 98 | "description": "Cloud metadata endpoint with mixed base", 99 | "filters": [], 100 | "tags": ["URL", "HOST"], 101 | "id": "e907f3041612f05c0882da7f4886fde65c0badf5" 102 | }, 103 | { 104 | "payload": "169.16689662", 105 | "prefix": "http://", 106 | "suffix": "/latest/meta-data/", 107 | "description": "Cloud metadata endpoint 3 byte wide decimal", 108 | "filters": [], 109 | "tags": ["URL", "HOST"], 110 | "id": "cb6670148a1a265e9de52602d2633cbc1d82ddcb" 111 | }, 112 | { 113 | "payload": "169.254.169.254", 114 | "prefix": "http://", 115 | "suffix": "/latest/meta-data/", 116 | "description": "Cloud metadata endpoint", 117 | "filters": [], 118 | "tags": ["URL", "HOST"], 119 | "id": "0ccb496127f4b822d7284638041456c0cf9903a9" 120 | }, 121 | { 122 | "payload": "169.254.43518", 123 | "prefix": "http://", 124 | "suffix": "/latest/meta-data/", 125 | "description": "Cloud metadata endpoint 2 byte wide decimal", 126 | "filters": [], 127 | "tags": ["URL", "HOST"], 128 | "id": "ab702fabd85cab966eed473a26ff030777506d8c" 129 | }, 130 | { 131 | "payload": "2852039166", 132 | "prefix": "http://", 133 | "suffix": "/latest/meta-data/", 134 | "description": "Decimal IP of 169.254.169.254", 135 | "filters": [], 136 | "tags": ["URL", "HOST"], 137 | "id": "2c1973af9f940eafa8ebf98c195460465526c945" 138 | }, 139 | { 140 | "payload": "45801712126", 141 | "prefix": "http://", 142 | "suffix": "/latest/meta-data/", 143 | "description": "Decimal IP of 169.254.169.254 with x10 overflow", 144 | "filters": [], 145 | "tags": ["URL", "HOST"], 146 | "id": "4ec56b2a29ac77e92f07856ccf340e3560926bb8" 147 | }, 148 | { 149 | "payload": "instance-data", 150 | "prefix": "http://", 151 | "suffix": "/latest/meta-data/", 152 | "description": "http://instance-data/latest/meta-data/", 153 | "filters": [], 154 | "tags": ["URL", "HOST"], 155 | "id": "dff5924f89035a24eca8f5f248451835f0ac2bf3" 156 | } 157 | ] 158 | } 159 | -------------------------------------------------------------------------------- /src/domain_allow_list_bypass.json: -------------------------------------------------------------------------------- 1 | { 2 | "name": "Domain allow list bypass", 3 | "payloads": [ 4 | { 5 | "payload": "\\\\", 6 | "description": "Fake relative url \\\\", 7 | "filters": [], 8 | "tags": ["URL"], 9 | "id": "4b961c715508b6364e5903a76530cb9436992850" 10 | }, 11 | { 12 | "payload": " &@# @", 13 | "description": " &@# @", 14 | "filters": [], 15 | "tags": ["URL", "HOST"], 16 | "id": "f375cf805e259064a2c66c8b1199413e1c64c77c" 17 | }, 18 | { 19 | "payload": ";.", 20 | "description": ";.", 21 | "filters": [], 22 | "tags": ["URL", "HOST"], 23 | "id": "cf3c19c6ac1be177832d2877054904e3faa3a0fb" 24 | }, 25 | { 26 | "payload": ":@", 27 | "description": ":@", 28 | "filters": [], 29 | "tags": ["URL", "HOST"], 30 | "id": "5854dc6ec9467f8dd0cd8c216472732077f24621" 31 | }, 32 | { 33 | "payload": ":443:\\@@", 34 | "description": ":443:\\@@", 35 | "filters": [], 36 | "tags": ["URL", "HOST"], 37 | "id": "48d79cb766716cce1cc1f39cc380cf51b4dac701" 38 | }, 39 | { 40 | "payload": ":443\\@", 41 | "description": ":443\\@", 42 | "filters": [], 43 | "tags": ["URL", "HOST"], 44 | "id": "369787c6210446c59dc50bf9fcae1d33312b320a" 45 | }, 46 | { 47 | "payload": ":443#\\@", 48 | "description": ":443#\\@", 49 | "filters": [], 50 | "tags": ["URL", "HOST"], 51 | "id": "b165995680f889ffb89a140c6148f93391a7fc01" 52 | }, 53 | { 54 | "payload": ":anything@", 55 | "description": ":anything@", 56 | "filters": [], 57 | "tags": ["URL", "HOST"], 58 | "id": "b45ba05eaeb0059f47a49bf75540c2aee3ad9c87" 59 | }, 60 | { 61 | "payload": "?@", 62 | "description": "?@", 63 | "filters": [], 64 | "tags": ["URL", "HOST"], 65 | "id": "369c77961c6d8f08bddd3555d9108458ee687f25" 66 | }, 67 | { 68 | "payload": "._.", 69 | "description": "._.", 70 | "filters": [], 71 | "tags": ["URL", "HOST", "CORS"], 72 | "id": "0a0c47feab2de7d985309352f38bafb8c758c37e" 73 | }, 74 | { 75 | "payload": ".-.", 76 | "description": ".-.", 77 | "filters": [], 78 | "tags": ["URL", "HOST", "CORS"], 79 | "id": "9b5d746f1d9c93d11d95dcd5c9d7a317779d9cf6" 80 | }, 81 | { 82 | "payload": ".,.", 83 | "description": "Safari allows , as subdomain: .,./", 84 | "filters": [], 85 | "tags": ["URL", "HOST", "CORS"], 86 | "id": "9824c5214ffca489a7bbc5cb4679d765f95420e0" 87 | }, 88 | { 89 | "payload": ".;.", 90 | "description": "Safari allows ; as subdomain: .;./", 91 | "filters": [], 92 | "tags": ["URL", "HOST", "CORS"], 93 | "id": "eb2585a137116f2e960fed94df3f3dd3d3d55712" 94 | }, 95 | { 96 | "payload": ".!.", 97 | "description": "Safari allows ! as subdomain: .!./", 98 | "filters": [], 99 | "tags": ["URL", "HOST", "CORS"], 100 | "id": "c922e4af20d82b6b09c20ee9d12b6532f72f6f05" 101 | }, 102 | { 103 | "payload": ".'.", 104 | "description": "Safari allows ' as subdomain: .'./", 105 | "filters": [], 106 | "tags": ["URL", "HOST", "CORS"], 107 | "id": "8314214777d8c03c8b560cf05e31b90b35a72100" 108 | }, 109 | { 110 | "payload": ".\".", 111 | "description": "Safari allows \" as subdomain: .\"./", 112 | "filters": [], 113 | "tags": ["URL", "HOST", "CORS"], 114 | "id": "3a40c89cb26a9e502030db755f0b7f5a3a0fca95" 115 | }, 116 | { 117 | "payload": ".(.", 118 | "description": "Safari allows ( as subdomain: .(./", 119 | "filters": [], 120 | "tags": ["URL", "HOST", "CORS"], 121 | "id": "8f4aa78c184615ce170933597ecb3bff169d0e21" 122 | }, 123 | { 124 | "payload": ".).", 125 | "description": "Safari allows ) as subdomain: .)./", 126 | "filters": [], 127 | "tags": ["URL", "HOST", "CORS"], 128 | "id": "461e154fed383a59f89bf340ab5d875b6ab8f193" 129 | }, 130 | { 131 | "payload": ".{.", 132 | "description": "Safari allows { as subdomain: .{./", 133 | "filters": [], 134 | "tags": ["URL", "HOST", "CORS"], 135 | "id": "8e46533db2e6e27f630a1ce5716eb835ecff1159" 136 | }, 137 | { 138 | "payload": ".}.", 139 | "description": "Safari allows } as subdomain: .}./", 140 | "filters": [], 141 | "tags": ["URL", "HOST", "CORS"], 142 | "id": "d0796bf59bf4fbccad4bbd07e87d722b5cba0b11" 143 | }, 144 | { 145 | "payload": ".*.", 146 | "description": "Safari allows * as subdomain: .*./", 147 | "filters": [], 148 | "tags": ["URL", "HOST", "CORS"], 149 | "id": "23c04053c485c6bbbc81dda2f9ae19b2a94ec154" 150 | }, 151 | { 152 | "payload": ".&.", 153 | "description": "Safari allows & as subdomain: .&./", 154 | "filters": [], 155 | "tags": ["URL", "HOST", "CORS"], 156 | "id": "0274ee7cc55b6a40d3e205964457296a7a4040db" 157 | }, 158 | { 159 | "payload": ".`.", 160 | "description": "Safari allows ` as subdomain: .`./", 161 | "filters": [], 162 | "tags": ["URL", "HOST", "CORS"], 163 | "id": "d2e1de8bc41c3353f79681994c291b53899445c4" 164 | }, 165 | { 166 | "payload": ".+.", 167 | "description": "Firefox and Safari allows + as subdomain .+.", 168 | "filters": [], 169 | "tags": ["URL", "HOST", "CORS"], 170 | "id": "8923ea0db18f14de8153269acde97aed1d57fd9f" 171 | }, 172 | { 173 | "payload": ".", 174 | "description": ".", 175 | "filters": [], 176 | "tags": ["URL", "HOST", "CORS"], 177 | "id": "cea2ae177d6c8a71e67ecff51acad083db6b23be" 178 | }, 179 | { 180 | "payload": ".=.", 181 | "description": "Safari allows = as subdomain: .=./", 182 | "filters": [], 183 | "tags": ["URL", "HOST", "CORS"], 184 | "id": "3e8293142b351c729246a3fcb670b8335b507dca" 185 | }, 186 | { 187 | "payload": ".~.", 188 | "description": "Safari allows ~ as subdomain: .~./", 189 | "filters": [], 190 | "tags": ["URL", "HOST", "CORS"], 191 | "id": "3c4907f111e3f29488a1664d647b4e627c7d20fd" 192 | }, 193 | { 194 | "payload": ".$.", 195 | "description": "Firefox and Safari allows $ as subdomain .$.", 196 | "filters": [], 197 | "tags": ["URL", "HOST", "CORS"], 198 | "id": "abdb4a4b49503a60c2e726d2ef57ab0934fba679" 199 | }, 200 | { 201 | "payload": "[@", 202 | "description": "Spring Framework CVE-2024-22243 [@", 203 | "filters": [], 204 | "tags": ["URL", "HOST"], 205 | "id": "1da2f627d702248b9e61cc23912d2c729e52f878" 206 | }, 207 | { 208 | "payload": "@", 209 | "description": "@", 210 | "filters": [], 211 | "tags": ["URL", "HOST"], 212 | "id": "6daae0f409c72cbbd99147e4f6ab1dfaf6b88389" 213 | }, 214 | { 215 | "payload": "\\;@", 216 | "description": "\\;@", 217 | "filters": [], 218 | "tags": ["URL", "HOST"], 219 | "id": "20a4f5a73241252db609f1caafae7da01f8fb5e1" 220 | }, 221 | { 222 | "payload": "&anything@", 223 | "description": "&anything@", 224 | "filters": [], 225 | "tags": ["URL", "HOST"], 226 | "id": "d19cfe625e33d02d814b75127641ef5a085be680" 227 | }, 228 | { 229 | "payload": "#", 230 | "description": "#", 231 | "filters": [], 232 | "tags": ["URL", "HOST"], 233 | "id": "b97663bd5098c4717875478796e422ad73d9dd09" 234 | }, 235 | { 236 | "payload": "%23", 237 | "description": "Double URL encoded # charecter #", 238 | "filters": [], 239 | "tags": ["URL", "HOST"], 240 | "id": "3b918103dbc3dc7da53262e68e5a3d0106426a6c" 241 | }, 242 | { 243 | "payload": "", 244 | "description": "", 245 | "filters": [], 246 | "tags": ["URL", "HOST", "CORS"], 247 | "id": "11a516d014552a6b9bf2b69fa1f3e63d97345aab" 248 | }, 249 | { 250 | "payload": "\t", 251 | "description": "\\t", 252 | "filters": [], 253 | "tags": ["URL", "HOST"], 254 | "id": "ce2c8e63a6bb6fba2914288d40f078dd694abbff" 255 | }, 256 | { 257 | "payload": "\n", 258 | "description": "\\n", 259 | "filters": [], 260 | "tags": ["URL", "HOST"], 261 | "id": "f4f6780b88f877fcee4ac1c9d7dd13de8deeadf4" 262 | }, 263 | { 264 | "payload": "\r\n", 265 | "description": "\\r\\n", 266 | "filters": [], 267 | "tags": ["URL", "HOST"], 268 | "id": "66a50204fb608615e25586ec417334217bac96db" 269 | }, 270 | { 271 | "payload": "\r", 272 | "description": "\\r", 273 | "filters": [], 274 | "tags": ["URL", "HOST"], 275 | "id": "78fb2eca1d07af7ce444035e6a6b61d8e4835b8c" 276 | }, 277 | { 278 | "payload": "\u2028", 279 | "description": "(U+2028)", 280 | "filters": [], 281 | "tags": ["URL", "HOST"], 282 | "id": "9b1cb80212d530707269740ff78c2904885e4bb2" 283 | }, 284 | { 285 | "payload": "\u2029", 286 | "description": "(U+2029)", 287 | "filters": [], 288 | "tags": ["URL", "HOST"], 289 | "id": "db71091f2fac46753094e03913880af31dd36fec" 290 | }, 291 | { 292 | "payload": " @", 293 | "description": " @", 294 | "filters": [], 295 | "tags": ["URL", "HOST"], 296 | "id": "d2c383a55636b0b498b1d5ba405adc112c344e6d" 297 | }, 298 | { 299 | "payload": " &@", 300 | "description": " &@", 301 | "filters": [], 302 | "tags": ["URL", "HOST"], 303 | "id": "d6d3be9e6ad635d60b829ede03f732b5f34b78c4" 304 | }, 305 | { 306 | "payload": " ", 307 | "description": " ", 308 | "filters": [], 309 | "tags": ["URL", "HOST"], 310 | "id": "d1ea37ce36e8a7777fdc2820bb5df2f6f5732ba5" 311 | }, 312 | { 313 | "payload": ";https://", 314 | "description": ";https://", 315 | "filters": [], 316 | "tags": ["URL", "HOST"], 317 | "id": "91a3fb64d469740b5143d398729917c7f1304ede" 318 | }, 319 | { 320 | "payload": ":\\@@", 321 | "description": ":\\@@", 322 | "filters": [], 323 | "tags": ["URL", "HOST"], 324 | "id": "25adcd4b65718c2757ee6f27a359465022d45c66" 325 | }, 326 | { 327 | "payload": ":80;http://:80", 328 | "description": "0://:80;http://:80", 329 | "prefix": "0://", 330 | "suffix": "/", 331 | "filters": [], 332 | "tags": ["URL", "HOST"], 333 | "id": "a7fbb5df752defd55ac7e06bf92d944c9d3d02d4" 334 | }, 335 | { 336 | "payload": "?", 337 | "description": "?", 338 | "filters": [], 339 | "tags": ["URL", "HOST"], 340 | "id": "b6a6c06f15d152817088029b00bd4675ec2d01d5" 341 | }, 342 | { 343 | "payload": "?\u0000", 344 | "description": "?(U+0000)", 345 | "filters": [], 346 | "tags": ["URL", "HOST"], 347 | "id": "5ba563007590834d46f9988e4edb183256bc6156" 348 | }, 349 | { 350 | "payload": "?=.", 351 | "description": "?=.", 352 | "filters": [], 353 | "tags": ["URL", "HOST"], 354 | "id": "8abff2b134596d1a84408e32730f1cc9c37cf68b" 355 | }, 356 | { 357 | "payload": "?=", 358 | "description": "?=", 359 | "filters": [], 360 | "tags": ["URL", "HOST"], 361 | "id": "710e1c32de716d811a5a3e19977e1b12eedbe129" 362 | }, 363 | { 364 | "payload": "?http://", 365 | "description": "?http://", 366 | "filters": [], 367 | "tags": ["URL", "HOST"], 368 | "id": "73f36bee5bdc72a2054d804baa53d48d72f05ea2" 369 | }, 370 | { 371 | "payload": "?https://", 372 | "description": "?https://", 373 | "filters": [], 374 | "tags": ["URL", "HOST"], 375 | "id": "df00701f59f6121a3b2ab26ea4c64209cc14825d" 376 | }, 377 | { 378 | "payload": "..", 379 | "description": "Multiple ending dots supported at Chrome and Firefox https://../", 380 | "filters": [], 381 | "tags": ["URL", "HOST"], 382 | "id": "66d3a7e771bb2e20ee8fec1d1b13a196c835d7b9" 383 | }, 384 | { 385 | "payload": ".", 386 | "description": "Unencrypted subdomain of ", 387 | "prefix": "http://", 388 | "filters": [], 389 | "tags": ["URL", "HOST", "CORS"], 390 | "id": "ffe800a642b4ff05bd579fc4454881562cdfafb9" 391 | }, 392 | { 393 | "payload": ".", 394 | "description": ".", 395 | "filters": [], 396 | "tags": ["URL", "HOST", "CORS"], 397 | "id": "d82a33ae7aa92b0f1f1f5d71a24c0f1197da4e7a" 398 | }, 399 | { 400 | "filters": [], 401 | "tags": ["URL"], 402 | "payload": "\uff0e", 403 | "description": "URL-splitting Unicode characters: .", 404 | "id": "a5a32ef167f46cc9c60bdfbc8df69bcdcc2d2181" 405 | }, 406 | { 407 | "payload": "@@", 408 | "description": "@@", 409 | "filters": [], 410 | "tags": ["URL", "HOST"], 411 | "id": "19ae42a42f3c5d92a3e1f9d304552bd9a141fe03" 412 | }, 413 | { 414 | "payload": "@", 415 | "description": "@", 416 | "filters": [], 417 | "tags": ["URL", "HOST"], 418 | "id": "a4fae5129ec3f761831939c5ee5af4b7f806e4c1" 419 | }, 420 | { 421 | "payload": "/?d=", 422 | "description": "/?d=", 423 | "filters": [], 424 | "tags": ["URL", "HOST"], 425 | "id": "df1cc97d4908cd69bc8394010d421d264335377d" 426 | }, 427 | { 428 | "payload": "/.", 429 | "description": "/.", 430 | "filters": [], 431 | "tags": ["URL", "HOST"], 432 | "id": "a84366109526aa67353dbb792254a2ddbfd815f6" 433 | }, 434 | { 435 | "payload": "///", 436 | "description": "///", 437 | "filters": [], 438 | "tags": ["URL", "HOST"], 439 | "id": "4fde7ff343832868004a9efaac977f5690390d02" 440 | }, 441 | { 442 | "payload": "/", 443 | "description": "/", 444 | "filters": [], 445 | "tags": ["URL", "HOST"], 446 | "id": "4bf25d6cb123c7f769df7eabbf25118469bc7d71" 447 | }, 448 | { 449 | "payload": "\\.", 450 | "description": "\\.", 451 | "filters": [], 452 | "tags": ["URL", "HOST"], 453 | "id": "26da92c70bc955f06d0548a6c648a2fa85fb4720" 454 | }, 455 | { 456 | "payload": "\\@@", 457 | "description": "\\@@", 458 | "filters": [], 459 | "tags": ["URL", "HOST"], 460 | "id": "89ceb3fd127c9db29d3b7325ce4f6a78daac9d78" 461 | }, 462 | { 463 | "payload": "\\", 464 | "description": "\\", 465 | "filters": [], 466 | "tags": ["URL", "HOST"], 467 | "id": "170d49165f74c66700423e9554344c7602ba3cd2" 468 | }, 469 | { 470 | "payload": "\\anything@", 471 | "description": "\\anything@", 472 | "filters": [], 473 | "tags": ["URL", "HOST"], 474 | "id": "49c3dab705159b4af3ce63b31239e909ee715a7d" 475 | }, 476 | { 477 | "filters": [], 478 | "tags": ["URL"], 479 | "payload": "\uff06", 480 | "description": "URL-splitting Unicode characters: &", 481 | "id": "952a0e91ff3cbc00a2e6a584cdf119e9e8aceec4" 482 | }, 483 | { 484 | "filters": [], 485 | "tags": ["URL"], 486 | "payload": "\ufe60", 487 | "description": "URL-splitting Unicode characters: &", 488 | "id": "2694aaa7bde0de00353ecd316bce0e2dd3279ade" 489 | }, 490 | { 491 | "payload": "#@", 492 | "description": "#@", 493 | "filters": [], 494 | "tags": ["URL", "HOST"], 495 | "id": "de21ba110890eab43f00fb6692668f63f7e186a1" 496 | }, 497 | { 498 | "payload": "#\\@", 499 | "description": "#\\@", 500 | "filters": [], 501 | "tags": ["URL", "HOST"], 502 | "id": "02f0fb3c762691a7b24935a5f4f0a8dd8474dc1f" 503 | }, 504 | { 505 | "payload": "#", 506 | "description": "#", 507 | "filters": [], 508 | "tags": ["URL", "HOST"], 509 | "id": "89d168cd432d5b4abe6cfd7068165c950b56174e" 510 | }, 511 | { 512 | "payload": "#\u0000", 513 | "description": "#(U+0000)", 514 | "filters": [], 515 | "tags": ["URL", "HOST"], 516 | "id": "a1562552da6136a088b946a813208223c04a7152" 517 | }, 518 | { 519 | "payload": "%0d%0a@", 520 | "description": "Double URL encoded new line charecter \\r\\n@", 521 | "filters": [], 522 | "tags": ["URL", "HOST"], 523 | "id": "cb4efe0efee3204ea4e5f6e4578e2faa4888a234" 524 | }, 525 | { 526 | "payload": "%23@", 527 | "description": "Double URL encoded # charecter #@", 528 | "filters": [], 529 | "tags": ["URL", "HOST"], 530 | "id": "e03932bbe1abe0a700f8d8b08a6bd40bb438adc9" 531 | }, 532 | { 533 | "payload": "%2e@", 534 | "description": "Double URL encoded / charecter .@", 535 | "filters": [], 536 | "tags": ["URL", "HOST"], 537 | "id": "041b104bf598a21c7b7851a9b1e81641e95e8e02" 538 | }, 539 | { 540 | "payload": "%2f@", 541 | "description": "Double URL encoded / charecter /@", 542 | "filters": [], 543 | "tags": ["URL", "HOST"], 544 | "id": "091e5d5424da3357b4f6a5f38fc56a0bae9d5070" 545 | }, 546 | { 547 | "payload": "%3a443.", 548 | "description": "Double URL encoded : charecter :443.", 549 | "filters": [], 550 | "tags": ["URL", "HOST"], 551 | "id": "b3ad48138f7bfba4479fc55d7d3501ed57d1486b" 552 | }, 553 | { 554 | "payload": "%ff", 555 | "description": "Invalid percent encoding: %ff", 556 | "filters": [], 557 | "tags": ["URL", "HOST"], 558 | "id": "5dd6a69ee2a931af86b364526cae2ac042c44720" 559 | }, 560 | { 561 | "payload": "+@", 562 | "description": "+@", 563 | "filters": [], 564 | "tags": ["URL", "HOST"], 565 | "id": "5b8e0bc8293698b758b60ada6296d21b35e6ccb7" 566 | }, 567 | { 568 | "payload": "+&@", 569 | "description": "+&@", 570 | "filters": [], 571 | "tags": ["URL", "HOST"], 572 | "id": "3060002806833f0dcf9b0d2fb4964741f25a513a" 573 | }, 574 | { 575 | "payload": "\u0000", 576 | "description": "(U+0000)", 577 | "filters": [], 578 | "tags": ["URL", "HOST"], 579 | "id": "062664a57fe99c06bc62e6f50628e45a7b586e29" 580 | }, 581 | { 582 | "payload": "anything", 583 | "description": "Unencrypted domain ends with ", 584 | "prefix": "http://", 585 | "filters": [], 586 | "tags": ["URL", "HOST", "CORS"], 587 | "id": "46912b20254b636b3f4f07d619f97d88b19ade09" 588 | }, 589 | { 590 | "payload": "anything", 591 | "description": "anything", 592 | "filters": [], 593 | "tags": ["URL", "HOST", "CORS"], 594 | "id": "20e21ea3874b833c70c77481c6dffa4fe48347a2" 595 | }, 596 | { 597 | "payload": "foo@ @", 598 | "description": "foo@ @", 599 | "filters": [], 600 | "tags": ["URL", "HOST"], 601 | "id": "648a90417d8fdf11e39a9c164461ab20707a1845" 602 | }, 603 | { 604 | "payload": "foo@:443@", 605 | "description": "foo@:443@", 606 | "filters": [], 607 | "tags": ["URL", "HOST"], 608 | "id": "8372598e5b45fc427bfec93fddd1c57a48a001a7" 609 | }, 610 | { 611 | "payload": "localhost.", 612 | "description": "Localhost regex implementation edge case http://localhost./", 613 | "prefix": "http://", 614 | "suffix": "/", 615 | "filters": [], 616 | "tags": ["URL", "HOST", "CORS"], 617 | "id": "32fac2a5d8bafd8c0bff4468d7ebf74c4aacd53a" 618 | }, 619 | { 620 | "payload": "localhost.", 621 | "description": "Localhost regex implementation edge case https://localhost./", 622 | "suffix": "/", 623 | "filters": [], 624 | "tags": ["URL", "HOST", "CORS"], 625 | "id": "ae2410e53af625b7218a1bab2be6561fb200db45" 626 | }, 627 | { 628 | "payload": "null", 629 | "description": "CORS vulnerability with trusted null origin", 630 | "prefix": "", 631 | "suffix": "", 632 | "filters": [], 633 | "tags": ["CORS"], 634 | "id": "2be88ca4242c76e8253ac62474851065032d6833" 635 | }, 636 | { 637 | "payload": "s", 638 | "description": "Unencrypted domain ends with http://s/", 639 | "prefix": "http://", 640 | "suffix": "/", 641 | "filters": [], 642 | "tags": ["URL", "HOST", "CORS"], 643 | "id": "ac08a704b14bdae1ccf4fb93669b2f2935347f4a" 644 | } 645 | ] 646 | } 647 | -------------------------------------------------------------------------------- /src/fake_relative_urls.json: -------------------------------------------------------------------------------- 1 | { 2 | "name": "Fake relative URLs", 3 | "payloads": [ 4 | { 5 | "payload": "\t", 6 | "description": "Tab \\t allowed inside host", 7 | "filters": [], 8 | "tags": ["URL"], 9 | "id": "b8a72d1541fb0654ff997f3e8f55a10ad30ab8be" 10 | }, 11 | { 12 | "payload": "\n", 13 | "description": "New line \\n allowed inside host", 14 | "filters": [], 15 | "tags": ["URL"], 16 | "id": "dd1670558072e75e82011592a8a20f91e8b24f02" 17 | }, 18 | { 19 | "payload": "\r\n//", 20 | "description": "New line \\r\\n URL split //", 21 | "prefix": "", 22 | "suffix": "", 23 | "filters": [], 24 | "tags": ["URL"], 25 | "id": "2be7dba99b4fe4592c981a988b33adc8414b7cfc" 26 | }, 27 | { 28 | "payload": "\r\n\\\\", 29 | "description": "New line \\r\\n URL split \\\\", 30 | "prefix": "", 31 | "suffix": "", 32 | "filters": [], 33 | "tags": ["URL"], 34 | "id": "e5ddb6c7744a1dd437293f35b6e3a375e23cba05" 35 | }, 36 | { 37 | "payload": "@", 38 | "description": "@", 39 | "prefix": "", 40 | "suffix": "", 41 | "filters": [], 42 | "tags": ["URL"], 43 | "id": "3a3a1269ad91c19d6836738f88c22c2d2e828a04" 44 | }, 45 | { 46 | "payload": "@", 47 | "description": "@", 48 | "prefix": "http:", 49 | "suffix": "", 50 | "filters": [], 51 | "tags": ["URL"], 52 | "id": "7ce5c7ba8d68acc95deb7c830ff9083278a754d5" 53 | }, 54 | { 55 | "payload": "@", 56 | "description": "@", 57 | "prefix": "https:", 58 | "suffix": "", 59 | "filters": [], 60 | "tags": ["URL"], 61 | "id": "4c8666f47acf0e2364c9c84012259329581e6afa" 62 | }, 63 | { 64 | "payload": "///", 65 | "description": "///", 66 | "prefix": "", 67 | "suffix": "", 68 | "filters": [], 69 | "tags": ["URL"], 70 | "id": "0cf4ec8da20a63aca1c94998b3599a5c917cfc64" 71 | }, 72 | { 73 | "payload": "//", 74 | "description": "//", 75 | "prefix": "", 76 | "suffix": "", 77 | "filters": [], 78 | "tags": ["URL"], 79 | "id": "b4b07ea11af6244ed0227da67fa422166fd33aa3" 80 | }, 81 | { 82 | "payload": "\\/\\/", 83 | "description": "\\/\\/", 84 | "prefix": "", 85 | "suffix": "", 86 | "filters": [], 87 | "tags": ["URL"], 88 | "id": "3d9687ba91c6cd5d7eb134c958897429c524758d" 89 | }, 90 | { 91 | "payload": "/\\", 92 | "description": "/\\", 93 | "prefix": "", 94 | "suffix": "", 95 | "filters": [], 96 | "tags": ["URL"], 97 | "id": "ace62c59ddbac07c58f262eb265adf1e018e81f4" 98 | }, 99 | { 100 | "payload": "/\/", 101 | "description": "/\/", 102 | "prefix": "", 103 | "suffix": "", 104 | "filters": [], 105 | "tags": ["URL"], 106 | "id": "313322b27e208e97462712b7a5bd7b02b17245fe" 107 | }, 108 | { 109 | "payload": "/ /", 110 | "description": "/ /", 111 | "prefix": "", 112 | "suffix": "", 113 | "filters": [], 114 | "tags": ["URL"], 115 | "id": "e61734c6187c7d0405cd28ec2a8d9eb0d60fbfeb" 116 | }, 117 | { 118 | "payload": "///", 119 | "description": "///", 120 | "prefix": "", 121 | "suffix": "", 122 | "filters": [], 123 | "tags": ["URL"], 124 | "id": "7e09e7c68533b6d866790cb66faecd50e7ced908" 125 | }, 126 | { 127 | "payload": "/ /", 128 | "description": "/ /", 129 | "prefix": "", 130 | "suffix": "", 131 | "filters": [], 132 | "tags": ["URL"], 133 | "id": "7575be7ca7831a7fa9d30ea2d2444a1a2629f487" 134 | }, 135 | { 136 | "payload": "\\\t\\", 137 | "description": "\\\\t\\", 138 | "prefix": "", 139 | "suffix": "", 140 | "filters": [], 141 | "tags": ["URL"], 142 | "id": "81d484c4dcee1d197765c2eea55e39541a796977" 143 | }, 144 | { 145 | "payload": "\\\n\\", 146 | "description": "\\\\n\\", 147 | "prefix": "", 148 | "suffix": "", 149 | "filters": [], 150 | "tags": ["URL"], 151 | "id": "ba39c2a2b512adc31579b7c3cb484d1dcb722995" 152 | }, 153 | { 154 | "payload": "\\/", 155 | "description": "\\/", 156 | "prefix": "", 157 | "suffix": "", 158 | "filters": [], 159 | "tags": ["URL"], 160 | "id": "47839f872c6eb35019b93468e20d4c7a61ac6921" 161 | }, 162 | { 163 | "payload": "\\\\", 164 | "description": "http:\\\\\\", 165 | "prefix": "http:", 166 | "suffix": "\\", 167 | "filters": [], 168 | "tags": ["URL"], 169 | "id": "97aa0ab060c87c215b4031b4602f0a16ff9ee3a2" 170 | }, 171 | { 172 | "payload": "#", 173 | "description": "#", 174 | "prefix": "", 175 | "suffix": "", 176 | "filters": [], 177 | "tags": ["URL"], 178 | "id": "90158c6e56c687aaf511062990bb692400c61367" 179 | }, 180 | { 181 | "payload": "", 182 | "description": "http:", 183 | "prefix": "http:", 184 | "suffix": "", 185 | "filters": [], 186 | "tags": ["URL"], 187 | "id": "2fd08ec2a085c73e8f3adde8ced34afaab73510c" 188 | }, 189 | { 190 | "payload": "", 191 | "description": "https:", 192 | "prefix": "https:", 193 | "suffix": "", 194 | "filters": [], 195 | "tags": ["URL"], 196 | "id": "5d47ea5913e5d14d9a05c0a87279e8e35824632d" 197 | }, 198 | { 199 | "payload": "", 200 | "description": "(U+0000)http://", 201 | "filters": [], 202 | "prefix": "\u0000http://", 203 | "suffix": "", 204 | "tags": ["URL"], 205 | "id": "5492b1d230b25c8e3f38afeb60b86eca6f43ca21" 206 | }, 207 | { 208 | "payload": "", 209 | "description": "(U+0001)http://", 210 | "filters": [], 211 | "prefix": "\u0001http://", 212 | "suffix": "", 213 | "tags": ["URL"], 214 | "id": "725d729a546c9ef846643efb56d4b054ec9455c5" 215 | }, 216 | { 217 | "payload": "", 218 | "description": "(U+0002)http://", 219 | "filters": [], 220 | "prefix": "\u0002http://", 221 | "suffix": "", 222 | "tags": ["URL"], 223 | "id": "4beb657c60f7d77deeb9553c452d1ae60f29ea91" 224 | }, 225 | { 226 | "payload": "", 227 | "description": "(U+0003)http://", 228 | "filters": [], 229 | "prefix": "\u0003http://", 230 | "suffix": "", 231 | "tags": ["URL"], 232 | "id": "db28290839728e7d84bc1bc7bb9bcd8a1722fbb0" 233 | }, 234 | { 235 | "payload": "", 236 | "description": "(U+0004)http://", 237 | "filters": [], 238 | "prefix": "\u0004http://", 239 | "suffix": "", 240 | "tags": ["URL"], 241 | "id": "595436103b180ef0631cf33f04080820394bc0b8" 242 | }, 243 | { 244 | "payload": "", 245 | "description": "(U+0005)http://", 246 | "filters": [], 247 | "prefix": "\u0005http://", 248 | "suffix": "", 249 | "tags": ["URL"], 250 | "id": "a0c314cdaca64075c33d2d5bcf09cd1c5528d491" 251 | }, 252 | { 253 | "payload": "", 254 | "description": "(U+0006)http://", 255 | "filters": [], 256 | "prefix": "\u0006http://", 257 | "suffix": "", 258 | "tags": ["URL"], 259 | "id": "eb4e0b71389ece25febcf450ede12de5238c159d" 260 | }, 261 | { 262 | "payload": "", 263 | "description": "(U+0007)http://", 264 | "filters": [], 265 | "prefix": "\u0007http://", 266 | "suffix": "", 267 | "tags": ["URL"], 268 | "id": "ba5b0a0d17498890af12f126af9a01919fe0e001" 269 | }, 270 | { 271 | "payload": "", 272 | "description": "\\bhttp://", 273 | "filters": [], 274 | "prefix": "\bhttp://", 275 | "suffix": "", 276 | "tags": ["URL"], 277 | "id": "69d2af51a4d4fe0ee2885d0cf96988200bedb17a" 278 | }, 279 | { 280 | "payload": "", 281 | "description": "\\thttp://", 282 | "filters": [], 283 | "prefix": "\thttp://", 284 | "suffix": "", 285 | "tags": ["URL"], 286 | "id": "9939e691963f62b6ca1782f8b29118dc7c855753" 287 | }, 288 | { 289 | "payload": "", 290 | "description": "\\nhttp://", 291 | "filters": [], 292 | "prefix": "\nhttp://", 293 | "suffix": "", 294 | "tags": ["URL"], 295 | "id": "aa399fe33f3adf4bffa965bd220ebfa4ad1fe6a7" 296 | }, 297 | { 298 | "payload": "", 299 | "description": "(U+000b)http://", 300 | "filters": [], 301 | "prefix": "\u000bhttp://", 302 | "suffix": "", 303 | "tags": ["URL"], 304 | "id": "be6cc25de22b39339f6945470c7e4aa480053d6f" 305 | }, 306 | { 307 | "payload": "", 308 | "description": "\\fhttp://", 309 | "filters": [], 310 | "prefix": "\fhttp://", 311 | "suffix": "", 312 | "tags": ["URL"], 313 | "id": "85a36b9e4af4d9145bb0d02a64720f7d4585984f" 314 | }, 315 | { 316 | "payload": "", 317 | "description": "\\rhttp://", 318 | "filters": [], 319 | "prefix": "\rhttp://", 320 | "suffix": "", 321 | "tags": ["URL"], 322 | "id": "4227eed925aa8ee2930ec3e1bacdf91d34f3641a" 323 | }, 324 | { 325 | "payload": "", 326 | "description": "(U+000e)http://", 327 | "filters": [], 328 | "prefix": "\u000ehttp://", 329 | "suffix": "", 330 | "tags": ["URL"], 331 | "id": "27013afeef04a9432826ba4c6c744b09ad007d45" 332 | }, 333 | { 334 | "payload": "", 335 | "description": "(U+000f)http://", 336 | "filters": [], 337 | "prefix": "\u000fhttp://", 338 | "suffix": "", 339 | "tags": ["URL"], 340 | "id": "d2bfdf4fc8935a83c80d57b6e66c4a1212490cf2" 341 | }, 342 | { 343 | "payload": "", 344 | "description": "(U+0010)http://", 345 | "filters": [], 346 | "prefix": "\u0010http://", 347 | "suffix": "", 348 | "tags": ["URL"], 349 | "id": "15f6321a2d955024d326dcc346a05f9e2ab06e54" 350 | }, 351 | { 352 | "payload": "", 353 | "description": "(U+0011)http://", 354 | "filters": [], 355 | "prefix": "\u0011http://", 356 | "suffix": "", 357 | "tags": ["URL"], 358 | "id": "15856aac15e17eaf767d61d151c230b54c47e5c0" 359 | }, 360 | { 361 | "payload": "", 362 | "description": "(U+0012)http://", 363 | "filters": [], 364 | "prefix": "\u0012http://", 365 | "suffix": "", 366 | "tags": ["URL"], 367 | "id": "f0c386f31ce67d6ddf215853938e2950d7282d7c" 368 | }, 369 | { 370 | "payload": "", 371 | "description": "(U+0013)http://", 372 | "filters": [], 373 | "prefix": "\u0013http://", 374 | "suffix": "", 375 | "tags": ["URL"], 376 | "id": "7d60404537279448dc8a796d5d94689705f9492b" 377 | }, 378 | { 379 | "payload": "", 380 | "description": "(U+0014)http://", 381 | "filters": [], 382 | "prefix": "\u0014http://", 383 | "suffix": "", 384 | "tags": ["URL"], 385 | "id": "5116abdec32a9548186ad5b605c5a84d5b25b5d0" 386 | }, 387 | { 388 | "payload": "", 389 | "description": "(U+0015)http://", 390 | "filters": [], 391 | "prefix": "\u0015http://", 392 | "suffix": "", 393 | "tags": ["URL"], 394 | "id": "52b4dcfa082e1b57eced818b7a69f01b93e18be8" 395 | }, 396 | { 397 | "payload": "", 398 | "description": "(U+0016)http://", 399 | "filters": [], 400 | "prefix": "\u0016http://", 401 | "suffix": "", 402 | "tags": ["URL"], 403 | "id": "ff8d49ace2bc1431f3e67b417665e60970ade5c9" 404 | }, 405 | { 406 | "payload": "", 407 | "description": "(U+0017)http://", 408 | "filters": [], 409 | "prefix": "\u0017http://", 410 | "suffix": "", 411 | "tags": ["URL"], 412 | "id": "37684ab38112706b4ff6af828e47e1fb9f51ae2d" 413 | }, 414 | { 415 | "payload": "", 416 | "description": "(U+0018)http://", 417 | "filters": [], 418 | "prefix": "\u0018http://", 419 | "suffix": "", 420 | "tags": ["URL"], 421 | "id": "10dff9478c68773d1cb13613dc99ac4e6e342b0f" 422 | }, 423 | { 424 | "payload": "", 425 | "description": "(U+0019)http://", 426 | "filters": [], 427 | "prefix": "\u0019http://", 428 | "suffix": "", 429 | "tags": ["URL"], 430 | "id": "8f592f4ae8e0ea947edda88c1b6898a2b00c32ac" 431 | }, 432 | { 433 | "payload": "", 434 | "description": "(U+001a)http://", 435 | "filters": [], 436 | "prefix": "\u001ahttp://", 437 | "suffix": "", 438 | "tags": ["URL"], 439 | "id": "e3d0a0b8f6e4dfd5a17515c67eaf407f4ee250a4" 440 | }, 441 | { 442 | "payload": "", 443 | "description": "(U+001b)http://", 444 | "filters": [], 445 | "prefix": "\u001bhttp://", 446 | "suffix": "", 447 | "tags": ["URL"], 448 | "id": "5591961133db50bf4aa819036dbd2faddf72d900" 449 | }, 450 | { 451 | "payload": "", 452 | "description": "(U+001c)http://", 453 | "filters": [], 454 | "prefix": "\u001chttp://", 455 | "suffix": "", 456 | "tags": ["URL"], 457 | "id": "b6856a3c020c0d5181580e9b59805aa609158083" 458 | }, 459 | { 460 | "payload": "", 461 | "description": "(U+001d)http://", 462 | "filters": [], 463 | "prefix": "\u001dhttp://", 464 | "suffix": "", 465 | "tags": ["URL"], 466 | "id": "708eca4a6cc2f882d5e411d2d1fd1e603a04e7d8" 467 | }, 468 | { 469 | "payload": "", 470 | "description": "(U+001e)http://", 471 | "filters": [], 472 | "prefix": "\u001ehttp://", 473 | "suffix": "", 474 | "tags": ["URL"], 475 | "id": "da497bc6a4c326cae7470f60611d4cc663f2472d" 476 | }, 477 | { 478 | "payload": "", 479 | "description": "(U+001f)http://", 480 | "filters": [], 481 | "prefix": "\u001fhttp://", 482 | "suffix": "", 483 | "tags": ["URL"], 484 | "id": "cae726a33f3bb6e8cee38e927fa844775146c410" 485 | }, 486 | { 487 | "payload": "", 488 | "description": " http://", 489 | "filters": [], 490 | "prefix": " http://", 491 | "suffix": "", 492 | "tags": ["URL"], 493 | "id": "0572066412cf61c59dc8f23ea664f94d828431b7" 494 | }, 495 | { 496 | "payload": "", 497 | "description": "h\\tttp://", 498 | "filters": [], 499 | "prefix": "h\tttp://", 500 | "suffix": "", 501 | "tags": ["URL"], 502 | "id": "44407f2c6750ade851828ab12d3f7ebe0e1e769b" 503 | }, 504 | { 505 | "payload": "", 506 | "description": "h\\nttp://", 507 | "filters": [], 508 | "prefix": "h\nttp://", 509 | "suffix": "", 510 | "tags": ["URL"], 511 | "id": "e97cbf16f509779f22609afec001a4a1c00a51bd" 512 | }, 513 | { 514 | "payload": "", 515 | "description": "h\\rttp://", 516 | "filters": [], 517 | "prefix": "h\rttp://", 518 | "suffix": "", 519 | "tags": ["URL"], 520 | "id": "a82c1f27966a0864d6d1398361dc55af896e1fa7" 521 | }, 522 | { 523 | "payload": "", 524 | "description": "http\\t://", 525 | "filters": [], 526 | "prefix": "http\t://", 527 | "suffix": "", 528 | "tags": ["URL"], 529 | "id": "8f0455de93c6da722c590287dcc1c36211382cc3" 530 | }, 531 | { 532 | "payload": "", 533 | "description": "http\\n://", 534 | "filters": [], 535 | "prefix": "http\n://", 536 | "suffix": "", 537 | "tags": ["URL"], 538 | "id": "486308f0be532d6178b0be35b9a2a9fc67d48212" 539 | }, 540 | { 541 | "payload": "", 542 | "description": "http\\r://", 543 | "filters": [], 544 | "prefix": "http\r://", 545 | "suffix": "", 546 | "tags": ["URL"], 547 | "id": "32fec641d76504715cba789328ebafa2a645e40e" 548 | }, 549 | { 550 | "payload": "", 551 | "description": "\\thttp\\t://", 552 | "filters": [], 553 | "prefix": "\thttp\t://", 554 | "suffix": "", 555 | "tags": ["URL"], 556 | "id": "a02d348d210efa779f995fa47a6618ed564cb926" 557 | }, 558 | { 559 | "payload": "", 560 | "description": "\\nhttp\\n://", 561 | "filters": [], 562 | "prefix": "\nhttp\n://", 563 | "suffix": "", 564 | "tags": ["URL"], 565 | "id": "95984673cfbeca4eeae3e7799cbbfb2c75d3de29" 566 | }, 567 | { 568 | "payload": "", 569 | "description": "\\rhttp\\r://", 570 | "filters": [], 571 | "prefix": "\rhttp\r://", 572 | "suffix": "", 573 | "tags": ["URL"], 574 | "id": "8ee4f4385d6dfd689346fef4d7be4fc812692a68" 575 | }, 576 | { 577 | "payload": "", 578 | "description": "http:/\\", 579 | "filters": [], 580 | "prefix": "http:/\\", 581 | "suffix": "", 582 | "tags": ["URL"], 583 | "id": "21181eedd5c3cc8e24107d573e79a16b5a56553e" 584 | }, 585 | { 586 | "payload": "", 587 | "description": "http:/\\\\", 588 | "filters": [], 589 | "prefix": "http:/\\\\", 590 | "suffix": "", 591 | "tags": ["URL"], 592 | "id": "301cc93d9a2415cd5d6b000427024a7efcde8cec" 593 | }, 594 | { 595 | "payload": "", 596 | "description": "http:\\\\", 597 | "filters": [], 598 | "prefix": "http:\\\\", 599 | "suffix": "", 600 | "tags": ["URL"], 601 | "id": "9bfc4198128fafe0313943366c68c0c1a1b34fea" 602 | }, 603 | { 604 | "payload": "", 605 | "description": "http:\\", 606 | "filters": [], 607 | "prefix": "http:\\", 608 | "suffix": "", 609 | "tags": ["URL"], 610 | "id": "34495dbe03013576ba901438b80a5f0fa99b1ca2" 611 | }, 612 | { 613 | "payload": "", 614 | "description": "http:/", 615 | "filters": [], 616 | "prefix": "http:/", 617 | "suffix": "", 618 | "tags": ["URL"], 619 | "id": "5d2743398cd2346eb0a4008174a817498c7f685e" 620 | }, 621 | { 622 | "payload": "", 623 | "description": "Refer to 0.0.0.0 without including :// in the scheme section of the absolute URL: http:/0/", 624 | "filters": [], 625 | "prefix": "http:/0/", 626 | "suffix": "", 627 | "tags": ["URL"], 628 | "id": "c316f024b09e4fcbc1c7ff5072087354d747fd98" 629 | }, 630 | { 631 | "payload": "\u200b", 632 | "description": "HTML entities ZeroWidthSpace, NegativeVeryThinSpace, NegativeThinSpace, NegativeMediumSpace, NegativeThickSpace (U+200B) allowed inside host", 633 | "filters": [], 634 | "tags": ["URL"], 635 | "id": "a72c5cf60d09c89718bcae7129a21fa21d72ee0a" 636 | }, 637 | { 638 | "payload": "\u2060", 639 | "description": "HTML entity NoBreak (U+2060) allowed inside host", 640 | "filters": [], 641 | "tags": ["URL"], 642 | "id": "c420c74fcd31811b4edf3a681b8e7b676a01eb2a" 643 | }, 644 | { 645 | "payload": "\u00ad", 646 | "description": "HTML entity SHY (U+00AD) allowed inside host", 647 | "filters": [], 648 | "tags": ["URL"], 649 | "id": "e73aa1dc3d1e050be2108a6c73362c35cd9b89b2" 650 | } 651 | ] 652 | } 653 | -------------------------------------------------------------------------------- /src/ipv6.json: -------------------------------------------------------------------------------- 1 | { 2 | "name": "IPv6", 3 | "payloads": [ 4 | { 5 | "payload": "[::%]", 6 | "description": "ZoneID attack var 1 https://www.rfc-editor.org/rfc/rfc6874.html#section-3", 7 | "filters": [], 8 | "tags": ["URL", "HOST"], 9 | "id": "67bb5f0d059c6cf5bba3ca424e494aa04ccf07a6" 10 | }, 11 | { 12 | "payload": "[::%25]", 13 | "description": "ZoneID attack var 2 https://www.rfc-editor.org/rfc/rfc6874.html#section-3", 14 | "filters": [], 15 | "tags": ["URL", "HOST"], 16 | "id": "006dafc81809fdd4f094e5fa3248d53287c9a4b7" 17 | }, 18 | { 19 | "payload": "[v1.]", 20 | "description": "IPvFuture attack https://www.rfc-editor.org/rfc/rfc3986.html#section-3.2.2", 21 | "filters": [], 22 | "tags": ["URL", "HOST"], 23 | "id": "26a7f6e989f7dcafb328d067a932f89b80a352c0" 24 | } 25 | ] 26 | } 27 | -------------------------------------------------------------------------------- /src/loopback.json: -------------------------------------------------------------------------------- 1 | { 2 | "name": "Loopback", 3 | "payloads": [ 4 | { 5 | "payload": "[::]", 6 | "description": "[::]", 7 | "filters": [], 8 | "tags": ["URL", "HOST", "CORS"], 9 | "id": "774d39681f93dd129c28e19122be14831684a1ae" 10 | }, 11 | { 12 | "payload": "[::1]", 13 | "description": "[::1]", 14 | "filters": [], 15 | "tags": ["URL", "HOST", "CORS"], 16 | "id": "f290a8f3c04e67ee70722ae1e0d0a821a1b74408" 17 | }, 18 | { 19 | "payload": "[::ffff:0.0.0.0]", 20 | "description": "IPv4-mapped IPv6 address 0.0.0.0", 21 | "filters": [], 22 | "tags": ["URL", "HOST"], 23 | "id": "cd6aea8dd1a6c5b0fd1f6626f5e849c3c39afa3b" 24 | }, 25 | { 26 | "payload": "[::ffff:0000:0000]", 27 | "description": "[::ffff:0000:0000]", 28 | "filters": [], 29 | "tags": ["URL", "HOST"], 30 | "id": "be8cb09a795cbcc6c48a7e10647034111c4efe26" 31 | }, 32 | { 33 | "payload": "[::ffff:7f00:1]", 34 | "description": "[::1]", 35 | "filters": [], 36 | "tags": ["URL", "HOST", "CORS"], 37 | "id": "363d6e8b3bc70faf9bf55367f127ff502fb3f429" 38 | }, 39 | { 40 | "payload": "[::\ufb00\ufb00:7f00:1]", 41 | "description": "Latin Small Ligature Ff [::ffff:7f00:1]", 42 | "filters": [], 43 | "tags": ["URL", "HOST"], 44 | "id": "cd5d84d35379c86c52b2a0e07467e445e7bb6d2b" 45 | }, 46 | { 47 | "payload": "[0:0:0:0:0:ffff:127.0.0.1]", 48 | "description": "[0:0:0:0:0:ffff:127.0.0.1]", 49 | "filters": [], 50 | "tags": ["URL", "HOST"], 51 | "id": "0f2db7090d0e751a4774a74a6636fd7cb3f1a190" 52 | }, 53 | { 54 | "payload": "[0:0:0:0:0:ffff:1\u3257.0.0.1]", 55 | "description": "Circled Number Twenty Seven [0:0:0:0:0:ffff:127.0.0.1]", 56 | "filters": [], 57 | "tags": ["URL", "HOST"], 58 | "id": "26f378f7a66ab81bae74d7124d776dbe060256bf" 59 | }, 60 | { 61 | "payload": "[0:0:0:0:0:ffff:\u246b7.0.0.1]", 62 | "description": "Circled Number Twelve [0:0:0:0:0:ffff:127.0.0.1]", 63 | "filters": [], 64 | "tags": ["URL", "HOST"], 65 | "id": "c5d40677753418f987679aaa900659479225ee9f" 66 | }, 67 | { 68 | "payload": "[0:0:0:0:0:\ufb00\ufb00:127.0.0.1]", 69 | "description": "Latin Small Ligature Ff [0:0:0:0:0:ffff:127.0.0.1]", 70 | "filters": [], 71 | "tags": ["URL", "HOST"], 72 | "id": "0b342b72a8c6668bb150d8fe3f5cf0c0532c8b79" 73 | }, 74 | { 75 | "payload": "[0000::1]", 76 | "description": "[0000::1]", 77 | "filters": [], 78 | "tags": ["URL", "HOST"], 79 | "id": "e9c454687517744a84a0b94a95c6e5dc30e31795" 80 | }, 81 | { 82 | "payload": "[0000:0000:0000:0000:0000:0000:0000:0000]", 83 | "description": "fully-expanded form of [::]", 84 | "filters": [], 85 | "tags": ["URL", "HOST", "CORS"], 86 | "id": "8d52c4fcf76fa2e662a3df7903653189af480967" 87 | }, 88 | { 89 | "payload": "[0000:0000:0000:0000:0000:0000:0000:0001]", 90 | "description": "fully-expanded form of [::1]", 91 | "filters": [], 92 | "tags": ["URL", "HOST"], 93 | "id": "55be05aa42551c0158a392ce49c09bb1bf5c58da" 94 | }, 95 | { 96 | "payload": "@0", 97 | "description": "@0", 98 | "filters": [], 99 | "tags": ["URL", "HOST"], 100 | "id": "e0271a38f02001f8eecc3cbbf1bad38d682d7d1b" 101 | }, 102 | { 103 | "payload": "\\l\\o\\c\\a\\l\\h\\o\\s\\t", 104 | "description": "\\l\\o\\c\\a\\l\\h\\o\\s\\t", 105 | "filters": [], 106 | "tags": ["URL", "HOST"], 107 | "id": "1460b076c5bc1369b1b5e00bada09464ad5a51b5" 108 | }, 109 | { 110 | "payload": ".local", 111 | "description": "Local allowed domain bypass", 112 | "filters": [], 113 | "tags": ["URL", "HOST", "CORS"], 114 | "id": "715a06de30c2c88c39fe5e586cb906d436940a40" 115 | }, 116 | { 117 | "payload": ".localhost", 118 | "description": "Localhost allowed domain bypass", 119 | "filters": [], 120 | "tags": ["URL", "HOST", "CORS"], 121 | "id": "97cef03a53eb5bd597deb2eb703e419eb2e70aa1" 122 | }, 123 | { 124 | "payload": "0", 125 | "description": "0", 126 | "filters": [], 127 | "tags": ["URL", "HOST"], 128 | "id": "8139fbfe111b7a027c8af94586d38bd8975882d4" 129 | }, 130 | { 131 | "payload": "0:80", 132 | "description": "Some clients like curl will interpret 0:80 as valid loopback address", 133 | "prefix": "", 134 | "suffix": "", 135 | "filters": [], 136 | "tags": ["URL", "HOST"], 137 | "id": "92291aafe7b4e4ef6c99c9672e024cc88475e043" 138 | }, 139 | { 140 | "payload": "0.0.0.0", 141 | "description": "0.0.0.0", 142 | "filters": [], 143 | "tags": ["URL", "HOST", "CORS"], 144 | "id": "cfa39a4008237a7be563114230f1aa624ce0c46c" 145 | }, 146 | { 147 | "payload": "0000.0000.0000.0000", 148 | "description": "Octal form 0.0.0.0", 149 | "filters": [], 150 | "tags": ["URL", "HOST"], 151 | "id": "335a6cb238cd194a00a1f7475fa09cebc1db3e71" 152 | }, 153 | { 154 | "payload": "00000177.00000000.00000000.00000001", 155 | "description": "00000177.00000000.00000000.00000001", 156 | "filters": [], 157 | "tags": ["URL", "HOST"], 158 | "id": "2c4c0eeaf2af819671cdab1015430fe086e78740" 159 | }, 160 | { 161 | "payload": "0177.0000.0000.0001", 162 | "description": "0177.0000.0000.0001", 163 | "filters": [], 164 | "tags": ["URL", "HOST"], 165 | "id": "883ccc07d658f5f090bbe8947a1428c8f68afec8" 166 | }, 167 | { 168 | "payload": "017700000001", 169 | "description": "017700000001", 170 | "filters": [], 171 | "tags": ["URL", "HOST"], 172 | "id": "be5727f874bdff561d95b6c1a09703bb79ba5eae" 173 | }, 174 | { 175 | "payload": "0\u2470700000001", 176 | "description": "Circled Number Seventeen 017700000001", 177 | "filters": [], 178 | "tags": ["URL", "HOST"], 179 | "id": "d367de4ae675e44e553a7608f8616ae83ece146f" 180 | }, 181 | { 182 | "payload": "0x00000000", 183 | "description": "Hex form 0.0.0.0", 184 | "filters": [], 185 | "tags": ["URL", "HOST"], 186 | "id": "47c51c24bc4d8ff3a7079ed95684c960bd1a8ff8" 187 | }, 188 | { 189 | "payload": "0x100000000", 190 | "description": "Hexadecimal IP of 0.0.0.0 with overflow", 191 | "filters": [], 192 | "tags": ["URL", "HOST"], 193 | "id": "ecc23a46f1d5cfa882a8bc47b154f7c0dcc75db3" 194 | }, 195 | { 196 | "payload": "0x17f000001", 197 | "description": "Hexadecimal IP of 127.0.0.1 with overflow", 198 | "filters": [], 199 | "tags": ["URL", "HOST"], 200 | "id": "1afd8953235bf9334d57361a188de36775ab11e4" 201 | }, 202 | { 203 | "payload": "0x17f000002", 204 | "description": "Hexadecimal IP of 127.0.0.2 with overflow", 205 | "filters": [], 206 | "tags": ["URL", "HOST"], 207 | "id": "f6b61f293f748dd6e8a1dd2a7aa6a3f99999212c" 208 | }, 209 | { 210 | "payload": "0x7F.0.0000.00000001", 211 | "description": "0x7F.0.0000.00000001", 212 | "filters": [], 213 | "tags": ["URL", "HOST"], 214 | "id": "99b9c563814e3db5053c5df98dd010bc0761554a" 215 | }, 216 | { 217 | "payload": "0x7F.0.0000.0001", 218 | "description": "0x7F.0.0000.0001", 219 | "filters": [], 220 | "tags": ["URL", "HOST"], 221 | "id": "91952075876239141a1fd18c1fc2aa378e66cfed" 222 | }, 223 | { 224 | "payload": "0x7f.0x00.0x00.0x01", 225 | "description": "0x7f.0x00.0x00.0x01", 226 | "filters": [], 227 | "tags": ["URL", "HOST"], 228 | "id": "943eabb66190f1635930ccf7dc19e5e03cd05081" 229 | }, 230 | { 231 | "payload": "0x7f.0x00.0x00.0x02", 232 | "description": "Hexadecimal IP of 127.0.0.2", 233 | "filters": [], 234 | "tags": ["URL", "HOST"], 235 | "id": "9e6f1b0eca78d0b1d7f7c8c74b1c26eb1fa63f48" 236 | }, 237 | { 238 | "payload": "0x7F.1", 239 | "description": "0x7F.1", 240 | "filters": [], 241 | "tags": ["URL", "HOST"], 242 | "id": "4601d4059b66ab04e543867dc7ca2c19d7c7b8a1" 243 | }, 244 | { 245 | "payload": "0x7f000001", 246 | "description": "0x7f000001", 247 | "filters": [], 248 | "tags": ["URL", "HOST"], 249 | "id": "1b8e6210ed86d2f5aed4a0b94cc2f2c119c3b18d" 250 | }, 251 | { 252 | "payload": "0x7f000002", 253 | "description": "Hexadecimal IP of 127.0.0.2", 254 | "filters": [], 255 | "tags": ["URL", "HOST"], 256 | "id": "8661eabf8e436fc6652faf92b2296af65850bb96" 257 | }, 258 | { 259 | "payload": "127.0.0.1", 260 | "description": "127.0.0.1", 261 | "filters": [], 262 | "tags": ["URL", "HOST", "CORS"], 263 | "id": "18a114b8a46c2f257d2a84cd3a9ef7d85966cf03" 264 | }, 265 | { 266 | "payload": "1\u3257.0.0.1", 267 | "description": "Circled Number Twenty Seven 127.0.0.1", 268 | "filters": [], 269 | "tags": ["URL", "HOST"], 270 | "id": "d3132036819744cb2fa833842140f7ba3ae15350" 271 | }, 272 | { 273 | "payload": "\u246b7.0.0.1", 274 | "description": "Circled Number Twelve 127.0.0.1", 275 | "filters": [], 276 | "tags": ["URL", "HOST"], 277 | "id": "a6654fd50980c525cec24c491fb1f10d8f5aeb5e" 278 | }, 279 | { 280 | "payload": "127.0.0.2", 281 | "description": "127.0.0.2", 282 | "filters": [], 283 | "tags": ["URL", "HOST"], 284 | "id": "13eb94e26cb3525eb386a363bbbc9e408043a0db" 285 | }, 286 | { 287 | "payload": "1\u3257.0.0.2", 288 | "description": "Circled Number Twenty Seven 127.0.0.2", 289 | "filters": [], 290 | "tags": ["URL", "HOST"], 291 | "id": "7d6e2bb3154621566d8cbb06331e48148cb528e3" 292 | }, 293 | { 294 | "payload": "\u246b7.0.0.2", 295 | "description": "Circled Number Twelve 127.0.0.2", 296 | "filters": [], 297 | "tags": ["URL", "HOST"], 298 | "id": "3ad9956cd47c1c929b085747db4cda1907e47323" 299 | }, 300 | { 301 | "payload": "127.000000000000000.1", 302 | "description": "127.000000000000000.1", 303 | "filters": [], 304 | "tags": ["URL", "HOST"], 305 | "id": "63b554cfb083bde06c105e1a53b2d76d48f71860" 306 | }, 307 | { 308 | "payload": "127.1", 309 | "description": "127.1", 310 | "filters": [], 311 | "tags": ["URL", "HOST"], 312 | "id": "232c587a2aff2f53cc4ba140e22db11420b40fca" 313 | }, 314 | { 315 | "payload": "2130706433", 316 | "description": "Decimal IP of 127.0.0.1", 317 | "filters": [], 318 | "tags": ["URL", "HOST"], 319 | "id": "1ac3d04cacc1b188e899c64ab263a16a9a9d4e9c" 320 | }, 321 | { 322 | "payload": "21307064\u325d", 323 | "description": "Circled Number Thirty three Decimal IP of 127.0.0.1", 324 | "filters": [], 325 | "tags": ["URL", "HOST"], 326 | "id": "6db6650b380d301246442ad7309d329cd689cb5c" 327 | }, 328 | { 329 | "payload": "2130706\u32b83", 330 | "description": "Circled Number Fourty three Decimal IP of 127.0.0.1", 331 | "filters": [], 332 | "tags": ["URL", "HOST"], 333 | "id": "99a6da5b951c8d91a15f18b33414099a2ef41cd8" 334 | }, 335 | { 336 | "payload": "21\u325a706433", 337 | "description": "Circled Number Thirty Decimal IP of 127.0.0.1", 338 | "filters": [], 339 | "tags": ["URL", "HOST"], 340 | "id": "54e3bd462ad3f50bed897bd80e98d4cb0b3a11c6" 341 | }, 342 | { 343 | "payload": "2\u246c0706433", 344 | "description": "Circled Number Thirteen Decimal IP of 127.0.0.1", 345 | "filters": [], 346 | "tags": ["URL", "HOST"], 347 | "id": "8535c5b287183fd69d9f9e28325a8ef24e9f245b" 348 | }, 349 | { 350 | "payload": "\u325130706433", 351 | "description": "Circled Number Twenty One Decimal IP of 127.0.0.1", 352 | "filters": [], 353 | "tags": ["URL", "HOST"], 354 | "id": "24ea09462b3747850ff3dd008689eb948efbf331" 355 | }, 356 | { 357 | "payload": "\u3251\u325a\u2466\u24ea\u2465\u2463\u325d", 358 | "description": "Circled Numbers 2130706433", 359 | "filters": [], 360 | "tags": ["URL", "HOST"], 361 | "id": "cb15c6037e3eee0e7ff506fc8e001b93af11a440" 362 | }, 363 | { 364 | "payload": "45080379393", 365 | "description": "Decimal IP of 127.0.0.1 with x10 overflow", 366 | "filters": [], 367 | "tags": ["URL", "HOST"], 368 | "id": "fb228b3a0fe9355c46199b69c64f98eba39c3ef5" 369 | }, 370 | { 371 | "payload": "localhost", 372 | "description": "localhost", 373 | "filters": [], 374 | "tags": ["URL", "HOST", "CORS"], 375 | "id": "aa2b6caa1bc125a1617a779bf35faf2a7ea71114" 376 | }, 377 | { 378 | "payload": "\u00adlocalhost", 379 | "description": "Normalization of the Soft Hyphen Character will return empty string", 380 | "filters": [], 381 | "tags": ["URL"], 382 | "id": "0fb340de15dae138537c9ed426f7e7ab0515d528" 383 | }, 384 | { 385 | "payload": "\u034flocalhost", 386 | "description": "Normalization of the Combining Grapheme Joiner (U+034F) will return empty string", 387 | "filters": [], 388 | "tags": ["URL"], 389 | "id": "04fb6f44b388e362e05320b6ee63b794ce4d5882" 390 | }, 391 | { 392 | "payload": "\u180blocalhost", 393 | "description": "Normalization of the (U+180B) will return empty string", 394 | "filters": [], 395 | "tags": ["URL"], 396 | "id": "41e082b6bfc3aa68a9403e24c2550139706adbdb" 397 | }, 398 | { 399 | "payload": "\u180clocalhost", 400 | "description": "Normalization of the (U+180C) will return empty string", 401 | "filters": [], 402 | "tags": ["URL"], 403 | "id": "ee2d21f3b0d6d7318e56b92e3068aac87e817b34" 404 | }, 405 | { 406 | "payload": "\u180dlocalhost", 407 | "description": "Normalization of the (U+180D) will return empty string", 408 | "filters": [], 409 | "tags": ["URL"], 410 | "id": "bf5cc0399f6eb2f14c8a7fcaa1c613895dde07df" 411 | }, 412 | { 413 | "payload": "\u180elocalhost", 414 | "description": "Normalization of the (U+180E) will return empty string", 415 | "filters": [], 416 | "tags": ["URL"], 417 | "id": "dc225121b0165fa18724d084b0e926472cd89328" 418 | }, 419 | { 420 | "payload": "\u180flocalhost", 421 | "description": "Normalization of the Undefined Character (U+180F) will return empty string", 422 | "filters": [], 423 | "tags": ["URL"], 424 | "id": "0b1db671bf26764c732b49a3bbd301a175d6811d" 425 | }, 426 | { 427 | "payload": "\u200blocalhost", 428 | "description": "Normalization of the Zero Width Space Character will return empty string", 429 | "filters": [], 430 | "tags": ["URL"], 431 | "id": "bc06dd2c8e84321c7d240586ed99d8ede51e2031" 432 | }, 433 | { 434 | "payload": "\u2060localhost", 435 | "description": "Normalization of the Word Joiner (U+2060) will return empty string", 436 | "filters": [], 437 | "tags": ["URL"], 438 | "id": "6bd275bea05fcaa52b914d8f98204dce828fc6e6" 439 | }, 440 | { 441 | "payload": "\u2064localhost", 442 | "description": "Normalization of the Invisible Plus (U+2064) will return empty string", 443 | "filters": [], 444 | "tags": ["URL"], 445 | "id": "b118f85620996226feec7ad296eef34cfb21ecac" 446 | }, 447 | { 448 | "payload": "localho\ufb06", 449 | "description": "Latin Small Ligature St localhost", 450 | "filters": [], 451 | "tags": ["URL", "HOST"], 452 | "id": "ee76a3748efe5600d5df6dd15f3dac84f18686d0" 453 | }, 454 | { 455 | "payload": "lo\u3388host", 456 | "description": "Square Cal localhost", 457 | "filters": [], 458 | "tags": ["URL", "HOST"], 459 | "id": "5001c74bfa2c7dc3a7da2c9181071dd662973a99" 460 | }, 461 | { 462 | "payload": "localho\ufb05", 463 | "description": "Latin Small Ligature Long S T localhost", 464 | "filters": [], 465 | "tags": ["URL", "HOST"], 466 | "id": "656205cf0e4d096054ab429fd2dcbb42365f3522" 467 | } 468 | ] 469 | } 470 | -------------------------------------------------------------------------------- /src/url-spliting_unicode_characters.json: -------------------------------------------------------------------------------- 1 | { 2 | "name": "URL-splitting Unicode characters", 3 | "payloads": [ 4 | { 5 | "filters": [], 6 | "tags": ["URL"], 7 | "payload": "\u2a74", 8 | "description": " URL-splitting Unicode characters ::", 9 | "id": "ce173786c6c8219618af8b2e7eb1b77081981cbd" 10 | }, 11 | { 12 | "filters": [], 13 | "tags": ["URL"], 14 | "payload": "\uff1a", 15 | "description": " URL-splitting Unicode characters :", 16 | "id": "900407cfa0822f509644f88e7c582a6849d10906" 17 | }, 18 | { 19 | "filters": [], 20 | "tags": ["URL"], 21 | "payload": "\ufe55", 22 | "description": " URL-splitting Unicode characters :", 23 | "id": "d065aeef1c894a84228124ff535709e6049d8ed3" 24 | }, 25 | { 26 | "filters": [], 27 | "tags": ["URL"], 28 | "payload": "\ufe13", 29 | "description": " URL-splitting Unicode characters :", 30 | "id": "d955b21f083f4570355906d3abb4772bb7bde3a0" 31 | }, 32 | { 33 | "filters": [], 34 | "tags": ["URL"], 35 | "payload": "\u2049", 36 | "description": " URL-splitting Unicode characters ?", 37 | "id": "a9a1f374d17d1a92a40c3d968c78a754b70b8df2" 38 | }, 39 | { 40 | "filters": [], 41 | "tags": ["URL"], 42 | "payload": "\u2048", 43 | "description": " URL-splitting Unicode characters ?", 44 | "id": "d2d8f7e349ff73a12f4c6600c11932b06721fba0" 45 | }, 46 | { 47 | "filters": [], 48 | "tags": ["URL"], 49 | "payload": "\u2047", 50 | "description": " URL-splitting Unicode characters ??", 51 | "id": "c120774e27a8b5b7c4ee1a882cd38f1eb08376b5" 52 | }, 53 | { 54 | "filters": [], 55 | "tags": ["URL"], 56 | "payload": "\uff1f", 57 | "description": " URL-splitting Unicode characters ?", 58 | "id": "59465b75de8b391a60c5e57b4952bb8c30abe1ae" 59 | }, 60 | { 61 | "filters": [], 62 | "tags": ["URL"], 63 | "payload": "\ufe56", 64 | "description": " URL-splitting Unicode characters ?", 65 | "id": "0787cb4afc9b3c11f17aac087b80f203282b77f0" 66 | }, 67 | { 68 | "filters": [], 69 | "tags": ["URL"], 70 | "payload": "\ufe16", 71 | "description": " URL-splitting Unicode characters ?", 72 | "id": "b0320b30a71051559304ef0c2e60179c246a0487" 73 | }, 74 | { 75 | "filters": [], 76 | "tags": ["URL"], 77 | "payload": "\u2026", 78 | "description": " URL-splitting Unicode characters ...", 79 | "id": "2f52df617bee2c9d82be632d70c8da763816ea5d" 80 | }, 81 | { 82 | "filters": [], 83 | "tags": ["URL"], 84 | "payload": "\ufe19", 85 | "description": " URL-splitting Unicode characters ...", 86 | "id": "82ef60e06d86425ea7136e38f34bc420495172d0" 87 | }, 88 | { 89 | "filters": [], 90 | "tags": ["URL"], 91 | "payload": "\u2025", 92 | "description": " URL-splitting Unicode characters ..", 93 | "id": "2a2789887311325b236b35dfa287d1bc274c1e4f" 94 | }, 95 | { 96 | "filters": [], 97 | "tags": ["URL"], 98 | "payload": "\ufe30", 99 | "description": " URL-splitting Unicode characters ..", 100 | "id": "668040dff0dfa7a13568c7dc4eab546b7810ce2a" 101 | }, 102 | { 103 | "filters": [], 104 | "tags": ["URL"], 105 | "payload": "\u2024", 106 | "description": " URL-splitting Unicode characters .", 107 | "id": "76960504d99178d39cc2c40033f7a6e05bc53357" 108 | }, 109 | { 110 | "filters": [], 111 | "tags": ["URL"], 112 | "payload": "\ufe52", 113 | "description": " URL-splitting Unicode characters .", 114 | "id": "0f02c7f2ff4deb30c61b447c53de649acb881ffe" 115 | }, 116 | { 117 | "filters": [], 118 | "tags": ["URL"], 119 | "payload": "\uff20", 120 | "description": " URL-splitting Unicode characters @", 121 | "id": "87833f6cf76c0552147058caef14bf5e409d2bed" 122 | }, 123 | { 124 | "filters": [], 125 | "tags": ["URL"], 126 | "payload": "\ufe6b", 127 | "description": " URL-splitting Unicode characters @", 128 | "id": "87e76eee1b817b489f9aa77e8eb12ebd5fc3a1c7" 129 | }, 130 | { 131 | "filters": [], 132 | "tags": ["URL"], 133 | "payload": "\uff0f", 134 | "description": " URL-splitting Unicode characters /", 135 | "id": "66a6c0ab76dc0fc995320d00f115de33c8fca4ab" 136 | }, 137 | { 138 | "filters": [], 139 | "tags": ["URL"], 140 | "payload": "\uff3c", 141 | "description": " URL-splitting Unicode characters \\", 142 | "id": "26024ea0b4900e3a4639419c24fe1e7c591b544f" 143 | }, 144 | { 145 | "filters": [], 146 | "tags": ["URL"], 147 | "payload": "\ufe68", 148 | "description": " URL-splitting Unicode characters \\", 149 | "id": "823230cba499948d0220e0174ae224b820126bd3" 150 | }, 151 | { 152 | "filters": [], 153 | "tags": ["URL"], 154 | "payload": "\uff03", 155 | "description": " URL-splitting Unicode characters #", 156 | "id": "8696eec75e130be0f8064d337b41aba679da76bb" 157 | }, 158 | { 159 | "filters": [], 160 | "tags": ["URL"], 161 | "payload": "\ufe5f", 162 | "description": " URL-splitting Unicode characters #", 163 | "id": "16464e0f9500679ed754ee6009e239ff0b5135d8" 164 | }, 165 | { 166 | "filters": [], 167 | "tags": ["URL"], 168 | "payload": "\u2488", 169 | "description": " URL-splitting Unicode characters .", 170 | "id": "c22ae5661a3e8cf46ba67b6b906d66cb4e54588e" 171 | }, 172 | { 173 | "filters": [], 174 | "tags": ["URL"], 175 | "payload": "\u2491", 176 | "description": " URL-splitting Unicode characters .", 177 | "id": "25ccc7b9e28bcaa3b651f080de0366a24b503626" 178 | }, 179 | { 180 | "filters": [], 181 | "tags": ["URL"], 182 | "payload": "\u2492", 183 | "description": " URL-splitting Unicode characters .", 184 | "id": "883bc634c898441dd6468b6e7eae270b2704422c" 185 | }, 186 | { 187 | "filters": [], 188 | "tags": ["URL"], 189 | "payload": "\u2493", 190 | "description": " URL-splitting Unicode characters .", 191 | "id": "8e31cc6906c5ff83cbe1aab706887558021186e3" 192 | }, 193 | { 194 | "filters": [], 195 | "tags": ["URL"], 196 | "payload": "\u2494", 197 | "description": " URL-splitting Unicode characters .", 198 | "id": "83b964545f9d2a7690b8fc4eb02838fbbe9141eb" 199 | }, 200 | { 201 | "filters": [], 202 | "tags": ["URL"], 203 | "payload": "\u2495", 204 | "description": " URL-splitting Unicode characters .", 205 | "id": "4e22e465b380c7a8dc66b4da240d0762181b2c25" 206 | }, 207 | { 208 | "filters": [], 209 | "tags": ["URL"], 210 | "payload": "\u2496", 211 | "description": " URL-splitting Unicode characters .", 212 | "id": "35a4a8e7c0f775877c2d0ccbab584a6624c6a695" 213 | }, 214 | { 215 | "filters": [], 216 | "tags": ["URL"], 217 | "payload": "\u2497", 218 | "description": " URL-splitting Unicode characters .", 219 | "id": "d3b5da8076839801a5db9ed3cea400e8b91ae0d7" 220 | }, 221 | { 222 | "filters": [], 223 | "tags": ["URL"], 224 | "payload": "\u2498", 225 | "description": " URL-splitting Unicode characters .", 226 | "id": "c585df8b4b35a85dc42571261416b81dd77bdb80" 227 | }, 228 | { 229 | "filters": [], 230 | "tags": ["URL"], 231 | "payload": "\u2499", 232 | "description": " URL-splitting Unicode characters .", 233 | "id": "f8a6bd96ec7590aa8af9ebce9129e974087a62f3" 234 | }, 235 | { 236 | "filters": [], 237 | "tags": ["URL"], 238 | "payload": "\u249a", 239 | "description": " URL-splitting Unicode characters .", 240 | "id": "998be41b98dfd0b7bd3748e0e8628d3053467e39" 241 | }, 242 | { 243 | "filters": [], 244 | "tags": ["URL"], 245 | "payload": "\u2489", 246 | "description": " URL-splitting Unicode characters .", 247 | "id": "8b12a515eb0e2bcb2a75b4f44ab0abe22c693997" 248 | }, 249 | { 250 | "filters": [], 251 | "tags": ["URL"], 252 | "payload": "\u249b", 253 | "description": " URL-splitting Unicode characters .", 254 | "id": "a77e698a459e0dbce6fe578a20110a737cf3f515" 255 | }, 256 | { 257 | "filters": [], 258 | "tags": ["URL"], 259 | "payload": "\u248a", 260 | "description": " URL-splitting Unicode characters .", 261 | "id": "2a9c1f8196729cacd016a64e54594333b4b31e13" 262 | }, 263 | { 264 | "filters": [], 265 | "tags": ["URL"], 266 | "payload": "\u248b", 267 | "description": " URL-splitting Unicode characters .", 268 | "id": "0786759c60cbf0e49029b8c805ce9b347f043f1d" 269 | }, 270 | { 271 | "filters": [], 272 | "tags": ["URL"], 273 | "payload": "\u248c", 274 | "description": " URL-splitting Unicode characters .", 275 | "id": "c977d35da5188d4cb65e96be3185717f604689d8" 276 | }, 277 | { 278 | "filters": [], 279 | "tags": ["URL"], 280 | "payload": "\u248d", 281 | "description": " URL-splitting Unicode characters .", 282 | "id": "d314592f991a4624c816719247ecf71e5262c46c" 283 | }, 284 | { 285 | "filters": [], 286 | "tags": ["URL"], 287 | "payload": "\u248e", 288 | "description": " URL-splitting Unicode characters .", 289 | "id": "8b89e626313a9d8935e9dabeaab9d3a81a73e313" 290 | }, 291 | { 292 | "filters": [], 293 | "tags": ["URL"], 294 | "payload": "\u248f", 295 | "description": " URL-splitting Unicode characters .", 296 | "id": "4e68d5dee777ec89fd296e5aed4232d3352a3f4c" 297 | }, 298 | { 299 | "filters": [], 300 | "tags": ["URL"], 301 | "payload": "\u2490", 302 | "description": " URL-splitting Unicode characters .", 303 | "id": "18cac8fd5ab3150ead6bdf14f1a887488470d8dd" 304 | }, 305 | { 306 | "filters": [], 307 | "tags": ["URL"], 308 | "payload": "\u33c2", 309 | "description": " URL-splitting Unicode characters .", 310 | "id": "574c99352aeb2459ec389521990d1c3ca0693366" 311 | }, 312 | { 313 | "filters": [], 314 | "tags": ["URL"], 315 | "payload": "\u2100", 316 | "description": " URL-splitting Unicode characters /", 317 | "id": "7ef5d30221e065bdf7e209f96b7a678f0d9880dc" 318 | }, 319 | { 320 | "filters": [], 321 | "tags": ["URL"], 322 | "payload": "\u2101", 323 | "description": " URL-splitting Unicode characters /", 324 | "id": "887e117ebfd05f32d5caa607dcec1863fe12a74a" 325 | }, 326 | { 327 | "filters": [], 328 | "tags": ["URL"], 329 | "payload": "\u2105", 330 | "description": " URL-splitting Unicode characters /", 331 | "id": "87b02d270150fb0a52ad168dc1b4d20eed22bf4d" 332 | }, 333 | { 334 | "filters": [], 335 | "tags": ["URL"], 336 | "payload": "\u2106", 337 | "description": " URL-splitting Unicode characters /", 338 | "id": "66812c84a21275e15ebf4e1346eb1c2612d1697c" 339 | }, 340 | { 341 | "filters": [], 342 | "tags": ["URL"], 343 | "payload": "\u33c7", 344 | "description": " URL-splitting Unicode characters .", 345 | "id": "e78d5d3d56fabbcd0190dd01fae48f3c56a2cef8" 346 | }, 347 | { 348 | "filters": [], 349 | "tags": ["URL"], 350 | "payload": "\u33d8", 351 | "description": " URL-splitting Unicode characters .", 352 | "id": "1d8d15a2cbcf62c4f954ad75b2ed8de5ff7e7567" 353 | }, 354 | { 355 | "filters": [], 356 | "tags": ["URL"], 357 | "payload": "\ud83c", 358 | "description": " URL-splitting Unicode characters .", 359 | "id": "1b6233423e4100c0a05774d5ab7de2d49b72e11c" 360 | } 361 | ] 362 | } 363 | --------------------------------------------------------------------------------