Is this url verification with startsWith secure?

Question

I would like to know if this code is secure to validate that a url is from my domain before loading it a webview in android :

if (!url.startsWith("https://www.example.com/test/")){
   // don't load the url
   dontload = true;
}

It looks secure but do you know if there is any way to bypass it ? Maybe with URL encoding ?

I use this code in onPreExecute to set the boolean that is checked before loading the url.

I get the url from url = getIntent().getDataString()

score 0 · Accepted Answer · answered Jun 07 '20 at 12:40

0

Such check is safe.

A similar check might be error prone. For instance, if you used

url.startsWith("https://www.example.com")

it could give an unexpected result, if you had a URL like

https://www.example.com@www.google.com

The part before @ would be interpreted as a user+password. But it user+password cannot contain unescaped /. The URL you test includes / (...com/...), thus your against such attacks.

I don't see any weaknesses in your check.

answered Jun 07 '20 at 12:40

mentallurg

8,536
4
26
41

Thank you, I was thinking that too but just wanted to be sure ! Thanks ! – Neolex Jun 08 '20 at 10:58

Is this url verification with startsWith secure?

1 Answers1