About urldiffer

Most server-side URL allowlists are quietly a two-parser system — one library validates the URL and a different client fetches it. When those parsers disagree about where the URL points, an attacker can craft a string that passes the check but sends the request elsewhere. That gap is the root of much SSRF and open-redirect.

urldiffer shows the effective host the WHATWG parser resolves (with IP normalization and IDN→punycode) next to an RFC 3986 decomposition, flags the documented confusion classes, and tests whether common naive allowlist checks would be fooled. Only the two parsers are computed and both are exact; other languages’ libraries are documented from research, not faked. It fetches nothing and runs in your browser. A deterministic diff tool — not a scanner or a proof of safety.