Security News > 2022 > January > URL parsing: A ticking time bomb of security exploits
A team of security researchers has discovered serious flaws in the way the modern internet parses URLs: Specifically, that there are too many URL parsers with inconsistent rules, which has created a worldwide web easily exploited by savvy attackers.
We don't even need to look very hard to find an example of URL parsing being manipulated in the wild to devastating effect: The late-2021 Log4j exploit is a perfect example, the researchers said in their report.
Attackers pivoted quickly to find a way around the fix, and found out that, by adding the localhost to the malicious URL and separating it with a # symbol, attackers were able to confuse the parsers and carry on attacking.
To make URL parsing vulnerabilities understandably dangerous, it helps to know what exactly it means, and the report does a good job of doing just that.
In 1994, way back when URLs were first defined, systems for translating URLs into machine language were created, and since then several new requests for comment have further elaborated on URL standards.
Scheme mixup, which involves parsing a URL with a specific scheme.