Same URL. Two Servers. Two Different Hostnames. 🔓 #shorts #coding #security

Two Docker containers. Same URL. Different hostnames. This is URL parser confusion - and it broke a package with 28 million weekly downloads.

What you're seeing:
→ Node.js and Python parse the SAME URL differently
→ A single backslash changes the hostname between parsers
→ Hex-encoded IPs bypass Python's security filters
→ Node (WHATWG spec) and Python (RFC 3986) disagree on edge cases
→ This led to real CVEs affecting millions of apps

Real CVEs demonstrated:
→ CVE-2022-0686 - npm url-parse hostname spoofing (28M weekly downloads)
→ CVE-2023-24329 - Python urllib blank character bypass
→ Orange Tsai 2024 - Apache URL parsing confusion (9 CVEs)

📖 The Standards (read them yourself):
→ WHATWG URL Standard (used by Node.js & browsers): https://url.spec.whatwg.org/
→ RFC 3986 (used by Python urllib): https://datatracker.ietf.org/doc/html/rfc3986
→ Backslash handling: WHATWG §4.3 "If c is U+005C and url is special, set state to host state" - this is why Node treats \ as /

📄 CVE Details:
→ CVE-2022-0686: https://nvd.nist.gov/vuln/detail/CVE-2022-0686
→ CVE-2023-24329: https://nvd.nist.gov/vuln/detail/CVE-2023-24329
→ Orange Tsai's research: https://blog.orange.tw/posts/2024-08-confusion-attacks-en/

The lesson: if your security check and your HTTP client use different URL parsers, an attacker WILL find the gap. Always validate after your client has parsed and resolved the URL.

#urlparsing #security #ssrf #cve #nodejs #python #docker #cybersecurity #programming #opensource #coding #shorts #websecurity #infosec

Видео Same URL. Two Servers. Two Different Hostnames. 🔓 #shorts #coding #security канала Kishore Newton