Characters Allowed in Protocol That Still Resolve Host Name

By /

Listen to this Post

Featured Image
Researchers recently discovered that using dots (.) in the protocol section of a URL can still resolve the hostname, opening new possibilities for web security testing and bypass techniques. This finding emerged from a CTF challenge and was further explored by Gareth Heyes, a researcher at PortSwigger Web Security.

You Should Know:

Testing Protocol Fuzzing with Dots

To verify this behavior, you can use cURL or a browser with crafted URLs:

curl "http://./example.com" 
curl "https://...///example.com"

Bypassing URL Parsers

Some security filters may not correctly parse dots in the protocol. Test with:

 Python requests test 
import requests 
response = requests.get("http://./google.com", allow_redirects=False) 
print(response.status_code)

Browser-Based Testing

Open Chrome/Edge/Firefox and try:

[/bash]
javascript:window.open(“http://…//evil.com”) 


DNS Resolution Check 
Verify if the hostname still resolves: 
[bash]
ping evil...com 
nslookup evil...com

WAF Bypass Potential

Some Web Application Firewalls (WAFs) may fail to detect malformed protocols: 

 Using Burp Suite Repeater 
GET http://./admin HTTP/1.1 
Host: target.com

Linux Network Testing

Check if the system processes the URL correctly:

wget "http://.../example.com/file.txt"

Windows Equivalent

Invoke-WebRequest -Uri "http://...//microsoft.com"

What Undercode Say

Protocol fuzzing remains an underrated technique in web security. Misinterpreted URLs can lead to:
– SSRF (Server-Side Request Forgery) bypasses
– WAF evasion
– Phishing attacks using deceptive links

Further research should explore:

  • Browser inconsistencies (Chrome vs. Firefox vs. Edge)
  • HTTP stack implementations (curl, wget, browsers)
  • Security scanner blind spots

Expected Output:

A deeper understanding of protocol-level fuzzing and its impact on web security, along with practical bypass methods for penetration testers.

Prediction

More CVEs will emerge related to URL parsing inconsistencies, leading to stricter RFC compliance checks in web frameworks.

Reference:

Characters allowed in the protocol that still resolve host name – Shazzer

References:

Reported By: Gareth Heyes – Hackers Feeds
Extra Hub: Undercode MoN
Basic Verification: Pass ✅

Join Our Cyber World:

💬 Whatsapp | 💬 Telegram

Related Posts: