The URL parsing functions focus on splitting a URL string into its components, or on combining URL components into a URL string.
Simply urllib.parse
used for parsing urls, we can bypass it with adding blanks before the url. This happens in python 3.11.4
and before.
Let's break down example.py
Here is a set of websites that you should not access:
blocked_list = [
"http://example.com/",
"http://example2.com/"
]
This function checks if website is on blocked list or not, if it's on block list it should return URL Blocked
def is_url_blocked(url):
parse = urllib.parse.urlparse(url).geturl()
if parse in blocked_list: return 'URL Blocked'
else: return 'Bypassed'
Now I added two urls and I check if any of them is blocked and cannot be accessed:
payload1 = " http://example.com/"
payload2 = "http://example.com/"
print(
is_url_blocked(payload1),
"\n",
is_url_blocked(payload2)
)
payload1
is where i bypassed is_url_blocked()
because adding long space before the url will bypass urllib.parse.urlparse(url).geturl()
it would not execute as excpected.
That's why the output is
Bypassed
But on payload2
we get
URL Blocked
If you would like to support me with donation, I recommend you to give it to someone who really need it please. If you do so then consider that i earned your support.