Safari’s Hostname Character Handling: Security Implications

By /

Listen to this Post

Featured Image
Safari has unique behavior when processing characters at the start of hostnames, which can lead to unexpected security scenarios. Researchers at PortSwigger discovered these differences, which may affect URL parsing, phishing detection, and web application security.

Reference:

You Should Know:

1. Testing Safari’s Hostname Parsing

Safari ignores certain special characters at the start of hostnames. This can be tested using:

Linux/Mac Terminal (curl test)

curl -v "http://@attacker.com" 
curl -v "http://.attacker.com" 
curl -v "http://attacker.com"

Compare responses with Chrome/Firefox.

Python Request Simulation

import requests 
response = requests.get("http://@malicious.example.com") 
print(response.url)  Check if Safari normalizes the URL differently

2. Bypassing Security Filters

Some security tools may not properly parse these edge cases:

 Example of a malformed URL that may bypass filters 
echo "http://@trusted-site.evil.com" | httpx -status-code

3. Detecting Vulnerable Parsers

Use this regex to find potentially risky URL handling:

grep -rE "http[bash]?://[.@][^/]+" /webapp/code/

4. Browser-Specific Exploitation

Craft a test page to detect Safari users:


<script> 
if (navigator.userAgent.includes('Safari') && !navigator.userAgent.includes('Chrome')) { 
window.location.href = "http://@fake-login.example.com"; 
} 
</script>

5. Mitigation via Nginx/Apache

Block malformed hostnames in web servers:

Nginx Rule

if ($host ~ "^[.@]") { 
return 403; 
}

Apache Rule

RewriteEngine On 
RewriteCond %{HTTP_HOST} ^[.@] [bash] 
RewriteRule ^ - [bash]

What Undercode Say

Safari’s lenient hostname parsing could enable:

  • Phishing attacks via deceptive URLs (`http://@realbank.com.evil.com`)
  • SSRF bypasses when internal systems parse URLs differently
  • WAF evasion due to inconsistent normalization

Defensive Commands:

 Audit Safari-specific URLs in logs 
awk '/GET \/.@|.|/ {print $1,$7}' /var/log/nginx/access.log

Test with DNS rebinding 
dig +short @evil.com A \attacker.com

Windows Defender Rule (PowerShell):

New-NetFirewallRule -DisplayName "Block Malformed Hostnames" -Direction Inbound -Action Block -RemoteAddress "@","","."

Prediction

Browser vendors will likely tighten hostname parsing rules, but legacy systems may remain vulnerable. Expect:
– Increased phishing campaigns exploiting this behavior
– CVEs related to parser inconsistencies in 2024-2025

Expected Output:

A security advisory detailing Safari’s hostname quirks, exploitation techniques, and mitigation steps for enterprise environments.

IT/Security Reporter URL:

Reported By: Gareth Heyes – Hackers Feeds
Extra Hub: Undercode MoN
Basic Verification: Pass ✅

Join Our Cyber World:

💬 Whatsapp | 💬 Telegram

Related Posts: