public_git
/
oauth2-proxy
mirror of https://github.com/oauth2-proxy/oauth2-proxy.git
1
0
Fork 0
Code Issues Projects Releases Wiki Activity

Merge pull request from GHSA-5m6c-jp6f-2vcv 

* Add more Open Redirect test cases

* Add whitelisted domain to test

* Add more test cases

* Improve invalid redirect regex
This commit is contained in:
Joel Speed 2020-06-27 12:07:24 +01:00 committed by GitHub
parent 1b6c54cae1
commit ee5662e0f5
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
3 changed files with 641 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
oauthproxy.go
View File

@ -63,7 +63,7 @@ var (
// Used to check final redirects are not susceptible to open redirects. // Used to check final redirects are not susceptible to open redirects.
// Matches //, /\ and both of these with whitespace in between (eg / / or / \). // Matches //, /\ and both of these with whitespace in between (eg / / or / \).
invalidRedirectRegex = regexp.MustCompile(`^/(\s|\v)?(/|\\)`) invalidRedirectRegex = regexp.MustCompile(`[/\\](?:[\s\v]*|\.{1,2})[/\\]`)
) )
// OAuthProxy is the main authentication proxy // OAuthProxy is the main authentication proxy

81
oauthproxy_test.go
View File

@ -1,6 +1,7 @@
package main package main
import ( import (
"bufio"
"context" "context"
"crypto" "crypto"
"encoding/base64" "encoding/base64"
@ -11,6 +12,7 @@ import (
"net/http" "net/http"
"net/http/httptest" "net/http/httptest"
"net/url" "net/url"
"os"
"regexp" "regexp"
"strings" "strings"
"testing" "testing"
@ -386,6 +388,41 @@ func TestIsValidRedirect(t *testing.T) {
Redirect: "/\r\\evil.com", Redirect: "/\r\\evil.com",
ExpectedResult: false, ExpectedResult: false,
}, },
{
Desc: "openRedirectTripleTab",
Redirect: "/\t\t/\t/evil.com",
ExpectedResult: false,
},
{
Desc: "openRedirectTripleTab2",
Redirect: "/\t\t\\\t/evil.com",
ExpectedResult: false,
},
{
Desc: "openRedirectQuadTab1",
Redirect: "/\t\t/\t\t\\evil.com",
ExpectedResult: false,
},
{
Desc: "openRedirectQuadTab2",
Redirect: "/\t\t\\\t\t/evil.com",
ExpectedResult: false,
},
{
Desc: "openRedirectPeriod1",
Redirect: "/./\\evil.com",
ExpectedResult: false,
},
{
Desc: "openRedirectPeriod2",
Redirect: "/./../../\\evil.com",
ExpectedResult: false,
},
{
Desc: "openRedirectDoubleTab",
Redirect: "/\t/\t\\evil.com",
ExpectedResult: false,
},
} }
for _, tc := range testCases { for _, tc := range testCases {
@ -399,6 +436,50 @@ func TestIsValidRedirect(t *testing.T) {
} }
} }
func TestOpenRedirects(t *testing.T) {
opts := NewOptions()
opts.ClientID = "skdlfj"
opts.ClientSecret = "fgkdsgj"
opts.Cookie.Secret = "ljgiogbj"
// Should match domains that are exactly foo.bar and any subdomain of bar.foo
opts.WhitelistDomains = []string{
"foo.bar",
".bar.foo",
"port.bar:8080",
".sub.port.bar:8080",
"anyport.bar:*",
".sub.anyport.bar:*",
"www.whitelisteddomain.tld",
}
opts.Validate()
proxy := NewOAuthProxy(opts, func(string) bool { return true })
file, err := os.Open("./test/openredirects.txt")
if err != nil {
t.Fatal(err)
}
defer file.Close()
scanner := bufio.NewScanner(file)
for scanner.Scan() {
rd := scanner.Text()
t.Run(rd, func(t *testing.T) {
rdUnescaped, err := url.QueryUnescape(rd)
if err != nil {
t.Fatal(err)
}
if proxy.IsValidRedirect(rdUnescaped) {
t.Errorf("Expected %q to not be valid (unescaped: %q)", rd, rdUnescaped)
}
})
}
if err := scanner.Err(); err != nil {
t.Fatal(err)
}
}
type TestProvider struct { type TestProvider struct {
*providers.ProviderData *providers.ProviderData
EmailAddress string EmailAddress string

559
test/openredirects.txt Normal file
View File

@ -0,0 +1,559 @@
";alert(0);//
%19Jav%09asc%09ript:https%20://www.whitelisteddomain.tld/%250Aconfirm%25281%2529
%68%74%74%70%3a%2f%2f%67%6f%6f%67%6c%65%2e%63%6f%6d
.localdomain.pw
/%09/example.com
/%09/example.com@google.com
/%09/google.com
/%09/javascript:alert(1)
/%09/javascript:alert(1);
/%09/localdomain.pw
/%09/www.whitelisteddomain.tld@google.com
/%09/www.whitelisteddomain.tld@localdomain.pw
/%2f%2f%2fbing.com%2f%3fwww.omise.co
/%2f%2fexample.com
/%2f%2fgoogle.com
/%2f%2flocaldomain.pw
/%2f%5c%2f%67%6f%6f%67%6c%65%2e%63%6f%6d/
/%5cexample.com
/%5cexample.com@google.com
/%5cgoogle.com
/%5cjavascript:alert(1)
/%5cjavascript:alert(1);
/%5clocaldomain.pw
/%5cwww.whitelisteddomain.tld@google.com
/%5cwww.whitelisteddomain.tld@localdomain.pw
/%68%74%74%70%3a%2f%2f%67%6f%6f%67%6c%65%2e%63%6f%6d
//%09/example.com
//%09/example.com@google.com
//%09/google.com
//%09/localdomain.pw
//%09/www.whitelisteddomain.tld@google.com
//%09/www.whitelisteddomain.tld@localdomain.pw
//%2fxgoogle.com
//%5cexample.com
//%5cexample.com@google.com
//%5cgoogle.com
//%5cjavascript:alert(1)
//%5cjavascript:alert(1);
//%5clocaldomain.pw
//%5cwww.whitelisteddomain.tld@google.com
//%5cwww.whitelisteddomain.tld@localdomain.pw
///%09/example.com
///%09/example.com@google.com
///%09/google.com
///%09/localdomain.pw
///%09/www.whitelisteddomain.tld@google.com
///%09/www.whitelisteddomain.tld@localdomain.pw
///%5cexample.com
///%5cexample.com@google.com
///%5cgoogle.com
///%5clocaldomain.pw
///%5cwww.whitelisteddomain.tld@google.com
///%5cwww.whitelisteddomain.tld@localdomain.pw
////%09/example.com
////%09/example.com@google.com
////%09/google.com
////%09/localdomain.pw
////%09/www.whitelisteddomain.tld@google.com
////%09/www.whitelisteddomain.tld@localdomain.pw
////%5cexample.com
////%5cexample.com@google.com
////%5cgoogle.com
////%5clocaldomain.pw
////%5cwww.whitelisteddomain.tld@google.com
////%5cwww.whitelisteddomain.tld@localdomain.pw
/////example.com
/////example.com/
/////google.com/
/////localdomain.pw
/////localdomain.pw/
////\;@example.com
////example.com/
////example.com/%2e%2e
////example.com/%2e%2e%2f
////example.com/%2f%2e%2e
////example.com/%2f..
////example.com//
////example.com@google.com/
////example.com@google.com/%2e%2e
////example.com@google.com/%2e%2e%2f
////example.com@google.com/%2f%2e%2e
////example.com@google.com/%2f..
////example.com@google.com//
////google.com/
////google.com/%2e%2e
////google.com/%2e%2e%2f
////google.com/%2f%2e%2e
////google.com/%2f..
////google.com//
////localdomain.pw/
////localdomain.pw/%2e%2e
////localdomain.pw/%2e%2e%2f
////localdomain.pw/%2f%2e%2e
////localdomain.pw/%2f..
////localdomain.pw//
////www.google.com/%2e%2e
////www.google.com/%2e%2e%2f
////www.google.com/%2f%2e%2e
////www.whitelisteddomain.tld@google.com/
////www.whitelisteddomain.tld@google.com/%2f..
////www.whitelisteddomain.tld@google.com//
////www.whitelisteddomain.tld@localdomain.pw/
////www.whitelisteddomain.tld@localdomain.pw/%2e%2e
////www.whitelisteddomain.tld@localdomain.pw/%2e%2e%2f
////www.whitelisteddomain.tld@localdomain.pw/%2f%2e%2e
////www.whitelisteddomain.tld@localdomain.pw/%2f..
////www.whitelisteddomain.tld@localdomain.pw//
////www.whitelisteddomain.tld@www.google.com/%2e%2e
////www.whitelisteddomain.tld@www.google.com/%2e%2e%2f
////www.whitelisteddomain.tld@www.google.com/%2f%2e%2e
///\;@example.com
///\;@google.com
///\;@localdomain.pw
///example.com
///example.com/
///example.com/%2e%2e
///example.com/%2e%2e%2f
///example.com/%2f%2e%2e
///example.com/%2f..
///example.com//
///example.com@google.com/
///example.com@google.com/%2e%2e
///example.com@google.com/%2e%2e%2f
///example.com@google.com/%2f%2e%2e
///example.com@google.com/%2f..
///example.com@google.com//
///google.com
///google.com/
///google.com/%2e%2e
///google.com/%2e%2e%2f
///google.com/%2f%2e%2e
///google.com/%2f..
///google.com//
///localdomain.pw
///localdomain.pw/
///localdomain.pw/%2e%2e
///localdomain.pw/%2e%2e%2f
///localdomain.pw/%2f%2e%2e
///localdomain.pw/%2f..
///localdomain.pw//
///www.google.com/%2e%2e
///www.google.com/%2e%2e%2f
///www.google.com/%2f%2e%2e
///www.whitelisteddomain.tld@google.com/
///www.whitelisteddomain.tld@google.com/%2f..
///www.whitelisteddomain.tld@google.com//
///www.whitelisteddomain.tld@localdomain.pw/
///www.whitelisteddomain.tld@localdomain.pw/%2e%2e
///www.whitelisteddomain.tld@localdomain.pw/%2e%2e%2f
///www.whitelisteddomain.tld@localdomain.pw/%2f%2e%2e
///www.whitelisteddomain.tld@localdomain.pw/%2f..
///www.whitelisteddomain.tld@localdomain.pw//
///www.whitelisteddomain.tld@www.google.com/%2e%2e
///www.whitelisteddomain.tld@www.google.com/%2e%2e%2f
///www.whitelisteddomain.tld@www.google.com/%2f%2e%2e
//3H6k7lIAiqjfNeN@example.com+@google.com/
//3H6k7lIAiqjfNeN@example.com@google.com/
//3H6k7lIAiqjfNeN@www.whitelisteddomain.tld+@localdomain.pw/
//3H6k7lIAiqjfNeN@www.whitelisteddomain.tld@localdomain.pw/
//;@google.com
//;@localdomain.pw
//XY>.7d8T\205pZM@example.com+@google.com/
//XY>.7d8T\205pZM@example.com@google.com/
//XY>.7d8T\205pZM@www.whitelisteddomain.tld+@localdomain.pw/
//XY>.7d8T\205pZM@www.whitelisteddomain.tld@localdomain.pw/
//example.com
//example.com+&@google.com#+@example.com/
//example.com/
//example.com/%2e%2e
//example.com/%2e%2e%2f
//example.com/%2f%2e%2e
//example.com/%2f..
//example.com//
//example.com@google.com/
//example.com@google.com/%2e%2e%2f
//example.com@google.com/%2f%2e%2e
//example.com@google.com/%2f..
//example.com@google.com//
//example.com@https:///google.com/%2e%2e
//google%00.com
//google%E3%80%82com
//google.com
//google.com/
//google.com/%2e%2e%2f
//google.com/%2f%2e%2e
//google.com/%2f..
//google.com//
//google.com:80#@example.com/
//google.com:80?@example.com/
//google.com\@example.com
//google.com\@www.whitelisteddomain.tld
//google.com\texample.com/
//https:///example.com/%2e%2e
//https:///google.com/%2e%2e
//https:///localdomain.pw/%2e%2e
//https:///www.google.com/%2e%2e
//https://example.com/%2e%2e%2f
//https://example.com//
//https://example.com@google.com/%2e%2e%2f
//https://example.com@google.com//
//https://google.com/%2e%2e%2f
//https://google.com//
//https://localdomain.pw/%2e%2e%2f
//https://localdomain.pw//
//https://www.google.com/%2e%2e%2f
//https://www.whitelisteddomain.tld@google.com//
//https://www.whitelisteddomain.tld@localdomain.pw/%2e%2e%2f
//https://www.whitelisteddomain.tld@localdomain.pw//
//https://www.whitelisteddomain.tld@www.google.com/%2e%2e%2f
//javascript:alert(1)
//javascript:alert(1);
//localdomain%00.pw
//localdomain%E3%80%82pw
//localdomain.pw
//localdomain.pw/
//localdomain.pw/%2e%2e%2f
//localdomain.pw/%2f%2e%2e
//localdomain.pw/%2f..
//localdomain.pw//
//localdomain.pw:80#@www.whitelisteddomain.tld/
//localdomain.pw:80?@www.whitelisteddomain.tld/
//localdomain.pw\@www.whitelisteddomain.tld
//localdomain.pw\twww.whitelisteddomain.tld/
//www.google.com/%2e%2e%2f
//www.google.com/%2f%2e%2e
//www.whitelisteddomain.tld+&@localdomain.pw#+@www.whitelisteddomain.tld/
//www.whitelisteddomain.tld@google.com/
//www.whitelisteddomain.tld@google.com/%2f..
//www.whitelisteddomain.tld@google.com//
//www.whitelisteddomain.tld@https:///localdomain.pw/%2e%2e
//www.whitelisteddomain.tld@https:///www.google.com/%2e%2e
//www.whitelisteddomain.tld@localdomain.pw/
//www.whitelisteddomain.tld@localdomain.pw/%2e%2e%2f
//www.whitelisteddomain.tld@localdomain.pw/%2f%2e%2e
//www.whitelisteddomain.tld@localdomain.pw/%2f..
//www.whitelisteddomain.tld@localdomain.pw//
//www.whitelisteddomain.tld@www.google.com/%2e%2e%2f
//www.whitelisteddomain.tld@www.google.com/%2f%2e%2e
/<>//example.com
/?url=//example.com&next=//example.com&redirect=//example.com&redir=//example.com&rurl=//example.com&redirect_uri=//example.com
/?url=/\/example.com&next=/\/example.com&redirect=/\/example.com&redirect_uri=/\/example.com
/?url=Https://example.com&next=Https://example.com&redirect=Https://example.com&redir=Https://example.com&rurl=Https://example.com&redirect_uri=Https://example.com
/ReceiveAutoRedirect/false?desiredLocationUrl=http://xssposed.org
/\/\/example.com/
/\/example.com/
/\/google.com/
/\/localdomain.pw/
/example.com/%2f%2e%2e
/google.com/%2f%2e%2e
/http://%67%6f%6f%67%6c%65%2e%63%6f%6d
/http://example.com
/http://google.com
/http://localdomain.pw
/https:/%5cexample.com/
/https:/%5cgoogle.com/
/https:/%5clocaldomain.pw/
/https://%09/example.com
/https://%5cexample.com
/https://%5cexample.com@google.com
/https://%5cgoogle.com
/https://%5clocaldomain.pw
/https://%5cwww.whitelisteddomain.tld@google.com
/https://%5cwww.whitelisteddomain.tld@localdomain.pw
/https:///example.com/%2e%2e
/https:///example.com/%2f%2e%2e
/https:///example.com@google.com/%2f%2e%2e
/https:///google.com/%2f%2e%2e
/https:///localdomain.pw/%2f%2e%2e
/https:///www.google.com/%2f%2e%2e
/https:///www.whitelisteddomain.tld@localdomain.pw/%2f%2e%2e
/https:///www.whitelisteddomain.tld@www.google.com/%2f%2e%2e
/https://example.com
/https://example.com/
/https://example.com/%2e%2e
/https://example.com/%2e%2e%2f
/https://example.com/%2f%2e%2e
/https://example.com/%2f..
/https://example.com//
/https://example.com@google.com/
/https://example.com@google.com/%2e%2e
/https://example.com@google.com/%2f%2e%2e
/https://example.com@google.com/%2f..
/https://google.com/
/https://google.com/%2e%2e
/https://google.com/%2f%2e%2e
/https://google.com/%2f..
/https://localdomain.pw/
/https://localdomain.pw/%2e%2e
/https://localdomain.pw/%2f%2e%2e
/https://localdomain.pw/%2f..
/https://www.google.com/%2e%2e
/https://www.google.com/%2f%2e%2e
/https://www.whitelisteddomain.tld@google.com/
/https://www.whitelisteddomain.tld@google.com/%2f..
/https://www.whitelisteddomain.tld@localdomain.pw/
/https://www.whitelisteddomain.tld@localdomain.pw/%2e%2e
/https://www.whitelisteddomain.tld@localdomain.pw/%2f%2e%2e
/https://www.whitelisteddomain.tld@localdomain.pw/%2f..
/https://www.whitelisteddomain.tld@www.google.com/%2e%2e
/https://www.whitelisteddomain.tld@www.google.com/%2f%2e%2e
/localdomain.pw/%2f%2e%2e
/redirect?url=//example.com&next=//example.com&redirect=//example.com&redir=//example.com&rurl=//example.com&redirect_uri=//example.com
/redirect?url=/\/example.com&next=/\/example.com&redirect=/\/example.com&redir=/\/example.com&rurl=/\/example.com&redirect_uri=/\/example.com
/redirect?url=Https://example.com&next=Https://example.com&redirect=Https://example.com&redir=Https://example.com&rurl=Https://example.com&redirect_uri=Https://example.com
/x:1/:///%01javascript:alert(document.cookie)/
<>//google.com
<>//localdomain.pw
<>javascript:alert(1);
@google.com
@localdomain.pw
Javas%26%2399;ript:alert(1)
\/\/google.com/
\/\/localdomain.pw/
\152\141\166\141\163\143\162\151\160\164\072alert(1)
\j\av\a\s\cr\i\pt\:\a\l\ert\(1\)
\u006A\u0061\u0076\u0061\u0073\u0063\u0072\u0069\u0070\u0074\u003aalert(1)
\x6A\x61\x76\x61\x73\x63\x72\x69\x70\x74\x3aalert(1)
data:text/html;base64,PHNjcmlwdD5hbGVydCgiWFNTIik8L3NjcmlwdD4=
data:www.whitelisteddomain.tld;text/html;charset=UTF-8,<html><script>document.write(document.domain);</script><iframe/src=xxxxx>aaaa</iframe></html>
http://%67%6f%6f%67%6c%65%2e%63%6f%6d
http://.localdomain.pw
http://00330.00072.0000326.00000316
http://00330.0x3a.54990
http://00330.3856078
http://0330.072.0326.0316
http://0xd8.072.54990
http://0xd8.0x3a.0xd6.0xce
http://0xd8.3856078
http://0xd83ad6ce
http://3627734734
http://3H6k7lIAiqjfNeN@00330.00072.0000326.00000316
http://3H6k7lIAiqjfNeN@00330.0x3a.54990
http://3H6k7lIAiqjfNeN@00330.3856078
http://3H6k7lIAiqjfNeN@0330.072.0326.0316
http://3H6k7lIAiqjfNeN@0xd8.072.54990
http://3H6k7lIAiqjfNeN@0xd8.0x3a.0xd6.0xce
http://3H6k7lIAiqjfNeN@0xd8.3856078
http://3H6k7lIAiqjfNeN@0xd83ad6ce
http://3H6k7lIAiqjfNeN@3627734734
http://3H6k7lIAiqjfNeN@472.314.470.462
http://3H6k7lIAiqjfNeN@[::216.58.214.206]
http://3H6k7lIAiqjfNeN@[::ffff:216.58.214.206]
http://3H6k7lIAiqjfNeN@example.com+@google.com/
http://3H6k7lIAiqjfNeN@example.com@google.com/
http://3H6k7lIAiqjfNeN@www.whitelisteddomain.tld+@localdomain.pw/
http://3H6k7lIAiqjfNeN@www.whitelisteddomain.tld@localdomain.pw/
http://472.314.470.462
http://;@google.com
http://;@localdomain.pw
http://XY>.7d8T\205pZM@00330.00072.0000326.00000316
http://XY>.7d8T\205pZM@00330.0x3a.54990
http://XY>.7d8T\205pZM@00330.3856078
http://XY>.7d8T\205pZM@0330.072.0326.0316
http://XY>.7d8T\205pZM@0xd8.072.54990
http://XY>.7d8T\205pZM@0xd8.0x3a.0xd6.0xce
http://XY>.7d8T\205pZM@0xd8.3856078
http://XY>.7d8T\205pZM@0xd83ad6ce
http://XY>.7d8T\205pZM@3627734734
http://XY>.7d8T\205pZM@472.314.470.462
http://XY>.7d8T\205pZM@[::216.58.214.206]
http://XY>.7d8T\205pZM@[::ffff:216.58.214.206]
http://XY>.7d8T\205pZM@example.com+@google.com/
http://XY>.7d8T\205pZM@example.com@google.com/
http://XY>.7d8T\205pZM@www.whitelisteddomain.tld+@localdomain.pw/
http://XY>.7d8T\205pZM@www.whitelisteddomain.tld@localdomain.pw/
http://[::216.58.214.206]
http://[::ffff:216.58.214.206]
http://example.com%2egoogle.com/
http://example.com+&@google.com#+@example.com/
http://example.com:80%40google.com/
http://example.com@00330.00072.0000326.00000316
http://example.com@00330.0x3a.54990
http://example.com@00330.3856078
http://example.com@0330.072.0326.0316
http://example.com@0xd8.072.54990
http://example.com@0xd8.0x3a.0xd6.0xce
http://example.com@0xd8.3856078
http://example.com@0xd83ad6ce
http://example.com@3627734734
http://example.com@472.314.470.462
http://example.com@[::216.58.214.206]
http://example.com@[::ffff:216.58.214.206]
http://google.com%23.example.com/
http://google.com%2f%2f.example.com/
http://google.com%3F.example.com/
http://google.com%5c%5c.example.com/
http://google.com:80#@example.com/
http://google.com:80#@www.whitelisteddomain.tld/
http://google.com:80?@example.com/
http://google.com:80?@www.whitelisteddomain.tld/
http://google.com\texample.com/
http://localdomain.pw%23.www.whitelisteddomain.tld/
http://localdomain.pw%2f%2f.www.whitelisteddomain.tld/
http://localdomain.pw%3F.www.whitelisteddomain.tld/
http://localdomain.pw%5c%5c.www.whitelisteddomain.tld/
http://localdomain.pw:80#@www.whitelisteddomain.tld/
http://localdomain.pw:80?@www.whitelisteddomain.tld/
http://localdomain.pw\twww.whitelisteddomain.tld/
http://www.localdomain.pw\.www.whitelisteddomain.tld
http://www.whitelisteddomain.tld%2elocaldomain.pw/
http://www.whitelisteddomain.tld+&@localdomain.pw#+@www.whitelisteddomain.tld/
http://www.whitelisteddomain.tld:80%40localdomain.pw/
http://www.whitelisteddomain.tld@00330.00072.0000326.00000316
http://www.whitelisteddomain.tld@00330.0x3a.54990
http://www.whitelisteddomain.tld@00330.3856078
http://www.whitelisteddomain.tld@0330.072.0326.0316
http://www.whitelisteddomain.tld@0xd8.072.54990
http://www.whitelisteddomain.tld@0xd8.0x3a.0xd6.0xce
http://www.whitelisteddomain.tld@0xd8.3856078
http://www.whitelisteddomain.tld@0xd83ad6ce
http://www.whitelisteddomain.tld@3627734734
http://www.whitelisteddomain.tld@472.314.470.462
http://www.whitelisteddomain.tld@[::216.58.214.206]
http://www.whitelisteddomain.tld@[::ffff:216.58.214.206]
http:00330.00072.0000326.00000316
http:00330.0x3a.54990
http:00330.3856078
http:0330.072.0326.0316
http:0xd8.072.54990
http:0xd8.0x3a.0xd6.0xce
http:0xd8.3856078
http:0xd83ad6ce
http:3627734734
http:3H6k7lIAiqjfNeN@00330.00072.0000326.00000316
http:3H6k7lIAiqjfNeN@00330.0x3a.54990
http:3H6k7lIAiqjfNeN@00330.3856078
http:3H6k7lIAiqjfNeN@0330.072.0326.0316
http:3H6k7lIAiqjfNeN@0xd8.072.54990
http:3H6k7lIAiqjfNeN@0xd8.0x3a.0xd6.0xce
http:3H6k7lIAiqjfNeN@0xd8.3856078
http:3H6k7lIAiqjfNeN@0xd83ad6ce
http:3H6k7lIAiqjfNeN@3627734734
http:3H6k7lIAiqjfNeN@472.314.470.462
http:3H6k7lIAiqjfNeN@[::216.58.214.206]
http:3H6k7lIAiqjfNeN@[::ffff:216.58.214.206]
http:472.314.470.462
http:XY>.7d8T\205pZM@00330.00072.0000326.00000316
http:XY>.7d8T\205pZM@00330.0x3a.54990
http:XY>.7d8T\205pZM@00330.3856078
http:XY>.7d8T\205pZM@0330.072.0326.0316
http:XY>.7d8T\205pZM@0xd8.072.54990
http:XY>.7d8T\205pZM@0xd8.0x3a.0xd6.0xce
http:XY>.7d8T\205pZM@0xd8.3856078
http:XY>.7d8T\205pZM@0xd83ad6ce
http:XY>.7d8T\205pZM@3627734734
http:XY>.7d8T\205pZM@472.314.470.462
http:XY>.7d8T\205pZM@[::216.58.214.206]
http:XY>.7d8T\205pZM@[::ffff:216.58.214.206]
http:[::216.58.214.206]
http:[::ffff:216.58.214.206]
http:example.com@00330.00072.0000326.00000316
http:example.com@00330.0x3a.54990
http:example.com@00330.3856078
http:example.com@0330.072.0326.0316
http:example.com@0xd8.072.54990
http:example.com@0xd8.0x3a.0xd6.0xce
http:example.com@0xd8.3856078
http:example.com@0xd83ad6ce
http:example.com@3627734734
http:example.com@472.314.470.462
http:example.com@[::216.58.214.206]
http:example.com@[::ffff:216.58.214.206]
http:www.whitelisteddomain.tld@00330.00072.0000326.00000316
http:www.whitelisteddomain.tld@00330.0x3a.54990
http:www.whitelisteddomain.tld@00330.3856078
http:www.whitelisteddomain.tld@0330.072.0326.0316
http:www.whitelisteddomain.tld@0xd8.072.54990
http:www.whitelisteddomain.tld@0xd8.0x3a.0xd6.0xce
http:www.whitelisteddomain.tld@0xd8.3856078
http:www.whitelisteddomain.tld@0xd83ad6ce
http:www.whitelisteddomain.tld@3627734734
http:www.whitelisteddomain.tld@472.314.470.462
http:www.whitelisteddomain.tld@[::216.58.214.206]
http:www.whitelisteddomain.tld@[::ffff:216.58.214.206]
https://%09/example.com@google.com
https://%09/google.com
https://%09/localdomain.pw
https://%09/www.whitelisteddomain.tld@google.com
https://%09/www.whitelisteddomain.tld@localdomain.pw
https://%5cexample.com@google.com
https://%5cgoogle.com
https://%5clocaldomain.pw
https://%5cwww.whitelisteddomain.tld@google.com
https://%5cwww.whitelisteddomain.tld@localdomain.pw
https:///example.com@google.com/%2e%2e
https:///example.com@google.com/%2f%2e%2e
https:///google.com/%2e%2e
https:///google.com/%2f%2e%2e
https:///localdomain.pw/%2e%2e
https:///localdomain.pw/%2f%2e%2e
https:///www.google.com/%2e%2e
https:///www.google.com/%2f%2e%2e
https:///www.whitelisteddomain.tld@localdomain.pw/%2e%2e
https:///www.whitelisteddomain.tld@localdomain.pw/%2f%2e%2e
https:///www.whitelisteddomain.tld@www.google.com/%2e%2e
https:///www.whitelisteddomain.tld@www.google.com/%2f%2e%2e
https://:@google.com\@example.com
https://:@google.com\@www.whitelisteddomain.tld
https://:@localdomain.pw\@www.whitelisteddomain.tld
https://example.com/https://google.com/
https://example.com@google.com
https://example.com@google.com/
https://example.com@google.com/%2e%2e%2f
https://example.com@google.com/%2f%2e%2e
https://example.com@google.com/%2f..
https://example.com@google.com//
https://google.com
https://google.com/
https://google.com/%2e%2e%2f
https://google.com/%2f%2e%2e
https://google.com/%2f..
https://google.com//
https://localdomain.pw
https://localdomain.pw/
https://localdomain.pw/%2e%2e%2f
https://localdomain.pw/%2f%2e%2e
https://localdomain.pw/%2f..
https://localdomain.pw//
https://www.google.com/%2e%2e%2f
https://www.google.com/%2f%2e%2e
https://www.whitelisteddomain.tld@google.com
https://www.whitelisteddomain.tld@google.com/
https://www.whitelisteddomain.tld@google.com/%2f..
https://www.whitelisteddomain.tld@google.com//
https://www.whitelisteddomain.tld@localdomain.pw
https://www.whitelisteddomain.tld@localdomain.pw/
https://www.whitelisteddomain.tld@localdomain.pw/%2e%2e%2f
https://www.whitelisteddomain.tld@localdomain.pw/%2f%2e%2e
https://www.whitelisteddomain.tld@localdomain.pw/%2f..
https://www.whitelisteddomain.tld@localdomain.pw//
https://www.whitelisteddomain.tld@www.google.com/%2e%2e%2f
https://www.whitelisteddomain.tld@www.google.com/%2f%2e%2e
https:google.com
https:localdomain.pw
jaVAscript://www.whitelisteddomain.tld//%0d%0aalert(1);//
ja\nva\tscript\r:alert(1)
java%09script:alert(1)
java%0ascript:alert(1)
java%0d%0ascript%0d%0a:alert(0)
java%0dscript:alert(1)
javascripT://anything%0D%0A%0D%0Awindow.alert(document.cookie)
javascript://%0aalert(1)
javascript://example.com?%a0alert%281%29
javascript://https://example.com/?z=%0Aalert(1)
javascript://https://www.whitelisteddomain.tld/?z=%0Aalert(1)
javascript://www.whitelisteddomain.tld?%a0alert%281%29
javascript:alert(1)
javascript:alert(1);
〱google.com
〱localdomain.pw
〵google.com
〵localdomain.pw
ゝgoogle.com
ゝlocaldomain.pw
ーgoogle.com
ーlocaldomain.pw
ーgoogle.com
ーlocaldomain.pw