================================================================================ VARIANT BYPASS TEST RESULTS ================================================================================ Testing against vulnerable and patched implementations ✅ CORRECTLY BLOCKED Test: Standard @ attack (original CVE) Input: "@attacker.com" Vulnerable URL: https://target.com@attacker.com#access_token=secret_token_12345 → Host: attacker.com | Token to attacker: true Patched: BLOCKED (Invalid redirect path.) ℹ️ ALLOWED (not malicious) Test: URL-encoded @ (%40) Input: "%40attacker.com" Note: Browser will send token to target.com, NOT attacker.com (path is %40attacker.com) Vulnerable URL: https://target.com%40attacker.com#access_token=secret_token_12345 → Host: PARSE_ERROR | Token to attacker: false Patched URL: https://target.com%40attacker.com#access_token=secret_token_12345 → Host: PARSE_ERROR | Token to attacker: false ℹ️ ALLOWED (not malicious) Test: Double URL-encoded @ (%2540) Input: "%2540attacker.com" Vulnerable URL: https://target.com%2540attacker.com#access_token=secret_token_12345 → Host: PARSE_ERROR | Token to attacker: false Patched URL: https://target.com%2540attacker.com#access_token=secret_token_12345 → Host: PARSE_ERROR | Token to attacker: false ✅ CORRECTLY BLOCKED Test: Protocol-relative URL (//attacker.com) Input: "//attacker.com" Vulnerable URL: https://target.com//attacker.com#access_token=secret_token_12345 → Host: target.com | Token to attacker: false Patched: BLOCKED (Invalid redirect path.) ✅ CORRECTLY BLOCKED Test: Triple-slash URL (///attacker.com) Input: "///attacker.com" Vulnerable URL: https://target.com///attacker.com#access_token=secret_token_12345 → Host: target.com | Token to attacker: false Patched: BLOCKED (Invalid redirect path.) ✅ CORRECTLY BLOCKED Test: Backslash variant (\\attacker.com) Input: "\attacker.com" Vulnerable URL: https://target.com\attacker.com#access_token=secret_token_12345 → Host: target.com | Token to attacker: false Patched: BLOCKED (Invalid redirect path.) ℹ️ ALLOWED (not malicious) Test: Backslash URL-encoded (%5C) Input: "%5Cattacker.com" Note: Browser will NOT interpret %5C as path separator Vulnerable URL: https://target.com%5Cattacker.com#access_token=secret_token_12345 → Host: PARSE_ERROR | Token to attacker: false Patched URL: https://target.com%5Cattacker.com#access_token=secret_token_12345 → Host: PARSE_ERROR | Token to attacker: false ✅ CORRECTLY BLOCKED Test: Path with @ in middle (/path@attacker.com) Input: "/path@attacker.com" Vulnerable URL: https://target.com/path@attacker.com#access_token=secret_token_12345 → Host: target.com | Token to attacker: false Patched: BLOCKED (Invalid redirect path.) ✅ CORRECTLY BLOCKED Test: Fragment-based (@ in fragment) Input: "#@attacker.com" Vulnerable URL: https://target.com#@attacker.com#access_token=secret_token_12345 → Host: target.com | Token to attacker: false Patched: BLOCKED (Invalid redirect path.) ✅ CORRECTLY BLOCKED Test: Query string with @ Input: "?x=@attacker.com" Vulnerable URL: https://target.com?x=@attacker.com#access_token=secret_token_12345 → Host: target.com | Token to attacker: false Patched: BLOCKED (Invalid redirect path.) ℹ️ ALLOWED (not malicious) Test: Empty redirect Input: "" Vulnerable URL: https://target.com#access_token=secret_token_12345 → Host: target.com | Token to attacker: false Patched URL: https://target.com#access_token=secret_token_12345 → Host: target.com | Token to attacker: false ℹ️ ALLOWED (not malicious) Test: Valid path Input: "/dashboard" Vulnerable URL: https://target.com/dashboard#access_token=secret_token_12345 → Host: target.com | Token to attacker: false Patched URL: https://target.com/dashboard#access_token=secret_token_12345 → Host: target.com | Token to attacker: false ℹ️ ALLOWED (not malicious) Test: Unicode @ equivalent (U+FF20) Input: "@attacker.com" Note: Hostname becomes 'target.com@attacker.com' which is invalid but browser may handle differently Vulnerable URL: https://target.com@attacker.com#access_token=secret_token_12345 → Host: PARSE_ERROR | Token to attacker: false Patched URL: https://target.com@attacker.com#access_token=secret_token_12345 → Host: PARSE_ERROR | Token to attacker: false ✅ CORRECTLY BLOCKED Test: Tab character injection Input: "@attacker.com " Vulnerable URL: https://target.com@attacker.com #access_token=secret_token_12345 → Host: attacker.com | Token to attacker: true Patched: BLOCKED (Invalid redirect path.) ✅ CORRECTLY BLOCKED Test: Newline injection Input: "@attacker.com " Vulnerable URL: https://target.com@attacker.com #access_token=secret_token_12345 → Host: attacker.com | Token to attacker: true Patched: BLOCKED (Invalid redirect path.) ✅ CORRECTLY BLOCKED Test: @ with port Input: "@attacker.com:8080" Vulnerable URL: https://target.com@attacker.com:8080#access_token=secret_token_12345 → Host: attacker.com | Token to attacker: true Patched: BLOCKED (Invalid redirect path.) ⚠️ FALSE POSITIVE Test: Schemeless attacker.com Input: "attacker.com" Note: URL becomes https://target.comattacker.com which is still target.com's domain Vulnerable URL: https://target.comattacker.com#access_token=secret_token_12345 → Host: target.comattacker.com | Token to attacker: false Patched URL: https://target.comattacker.com#access_token=secret_token_12345 → Host: target.comattacker.com | Token to attacker: false ✅ CORRECTLY BLOCKED Test: Nested path with // Input: "/api//attacker.com" Vulnerable URL: https://target.com/api//attacker.com#access_token=secret_token_12345 → Host: target.com | Token to attacker: false Patched: BLOCKED (Invalid redirect path.) ✅ CORRECTLY BLOCKED Test: Dot-dot-slash with @ (../../../@attacker.com) Input: "../../../@attacker.com" Vulnerable URL: https://target.com../../../@attacker.com#access_token=secret_token_12345 → Host: target.com.. | Token to attacker: false Patched: BLOCKED (Invalid redirect path.) ✅ CORRECTLY BLOCKED Test: @ in query param value Input: "?redirect=@attacker.com" Vulnerable URL: https://target.com?redirect=@attacker.com#access_token=secret_token_12345 → Host: target.com | Token to attacker: false Patched: BLOCKED (Invalid redirect path.) ℹ️ ALLOWED (not malicious) Test: Mixed encoding: %2540 (single decoded) Input: "%2540attacker.com" Vulnerable URL: https://target.com%2540attacker.com#access_token=secret_token_12345 → Host: PARSE_ERROR | Token to attacker: false Patched URL: https://target.com%2540attacker.com#access_token=secret_token_12345 → Host: PARSE_ERROR | Token to attacker: false ℹ️ ALLOWED (not malicious) Test: Unicode normalization candidate Input: "﹫attacker.com" Vulnerable URL: https://target.com﹫attacker.com#access_token=secret_token_12345 → Host: PARSE_ERROR | Token to attacker: false Patched URL: https://target.com﹫attacker.com#access_token=secret_token_12345 → Host: PARSE_ERROR | Token to attacker: false ✅ CORRECTLY BLOCKED Test: Zero-width joiner after @ Input: "@‍attacker.com" Vulnerable URL: https://target.com@‍attacker.com#access_token=secret_token_12345 → Host: PARSE_ERROR | Token to attacker: false Patched: BLOCKED (Invalid redirect path.) ✅ CORRECTLY BLOCKED Test: Right-to-left override Input: "@‮attacker.com" Vulnerable URL: https://target.com@‮attacker.com#access_token=secret_token_12345 → Host: PARSE_ERROR | Token to attacker: false Patched: BLOCKED (Invalid redirect path.) ================================================================================ SUMMARY ================================================================================ Total tests: 24 Real bypasses found: 0 False positives: 1 Correctly blocked: 2 ⚠️ FALSE POSITIVES (need manual review): - Schemeless attacker.com: "attacker.com" Reason: Hostname is neither target.com nor attacker.com ✅ EXIT: No real bypasses detected Some 'bypasses' are false positives that don't actually redirect to attacker.com