5 comments
@EnaWasHere @threetails @suprjami @bjb Both are true. Fake slashes make everything before the @ a “username” and v1271.zip the domain name. @EnaWasHere @bjb @suprjami it's the @. Everything between http(s):// and @ in interpreted as a username and potentially a password, the part after the @ is the host and path. @dragonfrog @EnaWasHere @bjb @suprjami That's not quite right, the username/password part cannot contain (amongst other things) forward slashes. This attack is relying on using a unicode character that looks like a forward slash but isn't one. @jribbens @EnaWasHere @bjb @suprjami I see, it's both the @ and the pseudo-slashes. Thanks for pinning that out. |
@EnaWasHere @bjb @suprjami My guess as well.