Bypassing URL verification

Question

I'm dealing with a URL validation function that was made by the developer (instead of using trusted methods).

Here is a slightly modified version of the function:

    public static bool IsValidURL(string url) {
        string parsedurl = url.ToLower().Substring(8, url.IndexOf("/", 8) - 8);
        return url.StartsWith("https") && parsedurl.EndsWith("example.com");
    }

I need this function to return true for a URL string I supply and the URL must also be compatible with C#'s WebClient. My goal is to have it to connect to my own web server, any ideas?

score 0 · Accepted Answer · edited May 26 '19 at 11:05

0

I think this will make it pass

https://compromised.server.com?example.com/

As long as example.com/ is at the end of the URL and there are no other slashes, you can add as many query parameters as you want with other data.

edited May 26 '19 at 11:05

schroeder

123,438
55
284
319

answered May 26 '19 at 06:43

Augusto

398
1
11

Bypassing URL verification

1 Answers1