About

About urldiffer

A free, open checker for the one thing behind a whole class of bugs: parsers that read the same URL differently.

Most server-side URL allowlists are quietly a two-parser system — one library validates the URL (say, checks the host against a list) and a different client then fetches it. When those parsers disagree about where the URL points, an attacker can craft a string that passes the check but sends the request somewhere else. That single gap is the root of a large share of SSRF and open-redirect vulnerabilities.

urldiffer takes one URL and shows the gap between how a browser/fetch() actually resolves it (the WHATWG parser) and how a textbook RFC 3986 decomposition reads it — then flags the differences that enable SSRF, open-redirect and allowlist-bypass attacks, and lets you test whether common naive allowlist checks would be fooled. Only those two parsers are computed, and both are exact; other languages’ libraries are documented from published research rather than simulated, because faking a parser in a security tool would be dishonest. It fetches nothing and runs entirely in your browser.

The effective host shown is exactly what the browser-native WHATWG parser resolves — including IP normalization (hex, octal, decimal and short forms), IDN→punycode conversion, and case folding — alongside an RFC 3986 decomposition and flags for the documented confusion classes (backslash, userinfo @, slashes, encoded delimiters, whitespace, homographs). The optional allowlist tester reproduces common hand-rolled checks so you can see which a given input would defeat.

It is a deterministic parsing & diff tool — not a vulnerability scanner, and not a proof of safety. It fetches nothing and runs entirely in your browser. Open the checker →