Equivocal URLs: Understanding the Fragmented Space of URL Parser Implementations

Joshua Reynolds; Adam Bates; Michael Donald Bailey

doi:10.1007/978-3-031-17143-7_9

Equivocal URLs: Understanding the Fragmented Space of URL Parser Implementations

Joshua Reynolds, Adam Bates, Michael Donald Bailey

Research output: Chapter in Book/Report/Conference proceeding › Conference contribution

Abstract

Uniform Resource Locators (URLs) are integral to the Web and have existed for nearly three decades. Yet URL parsing differs subtly among parser implementations, leading to ambiguity that can be abused by attackers. We measure agreement between widely-used URL parsers and find that each has made design decisions that deviate from parsing standards, creating a fractured implementation space where assumptions of uniform interpretation are unreliable. In some cases, deviations are severe enough that clients using different parsers will make requests to different hosts based on a single, “equivocal” URL. We systematize the thousands of differences we observed into seven pitfalls in URL parsing that application developers should beware of. We demonstrate that this ambiguity can be weaponized through misdirection attacks that evade the Google Safe Browsing and VirusTotal URL classifiers. URL parsing libraries have made a tradeoff to favor permissiveness over strict standards adherence. We hope this work will motivate the systemic adoption of a more unified URL parsing standard–enabling a more secure Web.

Original language	English (US)
Title of host publication	Computer Security – ESORICS 2022 - 27th European Symposium on Research in Computer Security, Proceedings
Editors	Vijayalakshmi Atluri, Roberto Di Pietro, Christian D. Jensen, Weizhi Meng
Publisher	Springer
Pages	166-185
Number of pages	20
ISBN (Print)	9783031171420
DOIs	https://doi.org/10.1007/978-3-031-17143-7_9
State	Published - 2022
Event	27th European Symposium on Research in Computer Security, ESORICS 2022 - Virtual, Online Duration: Sep 26 2022 → Sep 30 2022

Publication series

Name	Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics)
Volume	13556 LNCS
ISSN (Print)	0302-9743
ISSN (Electronic)	1611-3349

Conference

Conference	27th European Symposium on Research in Computer Security, ESORICS 2022
City	Virtual, Online
Period	9/26/22 → 9/30/22

Keywords

Parsing ambiguity
URL
Web security

ASJC Scopus subject areas

Theoretical Computer Science
Computer Science(all)

Online availability

10.1007/978-3-031-17143-7_9

Library availability

Discover UIUC Full Text

Cite this

Reynolds, J., Bates, A., & Bailey, M. D. (2022). Equivocal URLs: Understanding the Fragmented Space of URL Parser Implementations. In V. Atluri, R. Di Pietro, C. D. Jensen, & W. Meng (Eds.), Computer Security – ESORICS 2022 - 27th European Symposium on Research in Computer Security, Proceedings (pp. 166-185). (Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics); Vol. 13556 LNCS). Springer. https://doi.org/10.1007/978-3-031-17143-7_9

Equivocal URLs: Understanding the Fragmented Space of URL Parser Implementations. / Reynolds, Joshua; Bates, Adam; Bailey, Michael Donald.
Computer Security – ESORICS 2022 - 27th European Symposium on Research in Computer Security, Proceedings. ed. / Vijayalakshmi Atluri; Roberto Di Pietro; Christian D. Jensen; Weizhi Meng. Springer, 2022. p. 166-185 (Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics); Vol. 13556 LNCS).

Research output: Chapter in Book/Report/Conference proceeding › Conference contribution

Reynolds, J, Bates, A & Bailey, MD 2022, Equivocal URLs: Understanding the Fragmented Space of URL Parser Implementations. in V Atluri, R Di Pietro, CD Jensen & W Meng (eds), Computer Security – ESORICS 2022 - 27th European Symposium on Research in Computer Security, Proceedings. Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics), vol. 13556 LNCS, Springer, pp. 166-185, 27th European Symposium on Research in Computer Security, ESORICS 2022, Virtual, Online, 9/26/22. https://doi.org/10.1007/978-3-031-17143-7_9

Reynolds J, Bates A, Bailey MD. Equivocal URLs: Understanding the Fragmented Space of URL Parser Implementations. In Atluri V, Di Pietro R, Jensen CD, Meng W, editors, Computer Security – ESORICS 2022 - 27th European Symposium on Research in Computer Security, Proceedings. Springer. 2022. p. 166-185. (Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics)). doi: 10.1007/978-3-031-17143-7_9

Reynolds, Joshua ; Bates, Adam ; Bailey, Michael Donald. / Equivocal URLs : Understanding the Fragmented Space of URL Parser Implementations. Computer Security – ESORICS 2022 - 27th European Symposium on Research in Computer Security, Proceedings. editor / Vijayalakshmi Atluri ; Roberto Di Pietro ; Christian D. Jensen ; Weizhi Meng. Springer, 2022. pp. 166-185 (Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics)).

@inproceedings{99e455291070438c8841fa2857672d7b,

title = "Equivocal URLs: Understanding the Fragmented Space of URL Parser Implementations",

abstract = "Uniform Resource Locators (URLs) are integral to the Web and have existed for nearly three decades. Yet URL parsing differs subtly among parser implementations, leading to ambiguity that can be abused by attackers. We measure agreement between widely-used URL parsers and find that each has made design decisions that deviate from parsing standards, creating a fractured implementation space where assumptions of uniform interpretation are unreliable. In some cases, deviations are severe enough that clients using different parsers will make requests to different hosts based on a single, “equivocal” URL. We systematize the thousands of differences we observed into seven pitfalls in URL parsing that application developers should beware of. We demonstrate that this ambiguity can be weaponized through misdirection attacks that evade the Google Safe Browsing and VirusTotal URL classifiers. URL parsing libraries have made a tradeoff to favor permissiveness over strict standards adherence. We hope this work will motivate the systemic adoption of a more unified URL parsing standard–enabling a more secure Web.",

keywords = "Parsing ambiguity, URL, Web security",

author = "Joshua Reynolds and Adam Bates and Bailey, {Michael Donald}",

note = "Funding Information: Acknowledgements. This work was partially supported by the NSF under grants GR0005987 and CNS 1955228. We thank our anonymous peer reviewers as well as Zane Ma, Joshua Mason, Kent Seamons, Jay Misra, Kaylia M. Reynolds, Deepak Kumar, and Paul Murley for their feedback and suggestions. Publisher Copyright: {\textcopyright} 2022, The Author(s), under exclusive license to Springer Nature Switzerland AG.; 27th European Symposium on Research in Computer Security, ESORICS 2022 ; Conference date: 26-09-2022 Through 30-09-2022",

year = "2022",

doi = "10.1007/978-3-031-17143-7_9",

language = "English (US)",

isbn = "9783031171420",

series = "Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics)",

publisher = "Springer",

pages = "166--185",

editor = "Vijayalakshmi Atluri and {Di Pietro}, Roberto and Jensen, {Christian D.} and Weizhi Meng",

booktitle = "Computer Security – ESORICS 2022 - 27th European Symposium on Research in Computer Security, Proceedings",

address = "Germany",

}

TY - GEN

T1 - Equivocal URLs

T2 - 27th European Symposium on Research in Computer Security, ESORICS 2022

AU - Reynolds, Joshua

AU - Bates, Adam

AU - Bailey, Michael Donald

N1 - Funding Information: Acknowledgements. This work was partially supported by the NSF under grants GR0005987 and CNS 1955228. We thank our anonymous peer reviewers as well as Zane Ma, Joshua Mason, Kent Seamons, Jay Misra, Kaylia M. Reynolds, Deepak Kumar, and Paul Murley for their feedback and suggestions. Publisher Copyright: © 2022, The Author(s), under exclusive license to Springer Nature Switzerland AG.

PY - 2022

Y1 - 2022

N2 - Uniform Resource Locators (URLs) are integral to the Web and have existed for nearly three decades. Yet URL parsing differs subtly among parser implementations, leading to ambiguity that can be abused by attackers. We measure agreement between widely-used URL parsers and find that each has made design decisions that deviate from parsing standards, creating a fractured implementation space where assumptions of uniform interpretation are unreliable. In some cases, deviations are severe enough that clients using different parsers will make requests to different hosts based on a single, “equivocal” URL. We systematize the thousands of differences we observed into seven pitfalls in URL parsing that application developers should beware of. We demonstrate that this ambiguity can be weaponized through misdirection attacks that evade the Google Safe Browsing and VirusTotal URL classifiers. URL parsing libraries have made a tradeoff to favor permissiveness over strict standards adherence. We hope this work will motivate the systemic adoption of a more unified URL parsing standard–enabling a more secure Web.

AB - Uniform Resource Locators (URLs) are integral to the Web and have existed for nearly three decades. Yet URL parsing differs subtly among parser implementations, leading to ambiguity that can be abused by attackers. We measure agreement between widely-used URL parsers and find that each has made design decisions that deviate from parsing standards, creating a fractured implementation space where assumptions of uniform interpretation are unreliable. In some cases, deviations are severe enough that clients using different parsers will make requests to different hosts based on a single, “equivocal” URL. We systematize the thousands of differences we observed into seven pitfalls in URL parsing that application developers should beware of. We demonstrate that this ambiguity can be weaponized through misdirection attacks that evade the Google Safe Browsing and VirusTotal URL classifiers. URL parsing libraries have made a tradeoff to favor permissiveness over strict standards adherence. We hope this work will motivate the systemic adoption of a more unified URL parsing standard–enabling a more secure Web.

KW - Parsing ambiguity

KW - URL

KW - Web security

UR - http://www.scopus.com/inward/record.url?scp=85140740323&partnerID=8YFLogxK

UR - http://www.scopus.com/inward/citedby.url?scp=85140740323&partnerID=8YFLogxK

U2 - 10.1007/978-3-031-17143-7_9

DO - 10.1007/978-3-031-17143-7_9

M3 - Conference contribution

AN - SCOPUS:85140740323

SN - 9783031171420

T3 - Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics)

SP - 166

EP - 185

BT - Computer Security – ESORICS 2022 - 27th European Symposium on Research in Computer Security, Proceedings

A2 - Atluri, Vijayalakshmi

A2 - Di Pietro, Roberto

A2 - Jensen, Christian D.

A2 - Meng, Weizhi

PB - Springer

Y2 - 26 September 2022 through 30 September 2022

ER -