Communities

Writing
Writing
Codidact Meta
Codidact Meta
The Great Outdoors
The Great Outdoors
Photography & Video
Photography & Video
Scientific Speculation
Scientific Speculation
Cooking
Cooking
Electrical Engineering
Electrical Engineering
Judaism
Judaism
Languages & Linguistics
Languages & Linguistics
Software Development
Software Development
Mathematics
Mathematics
Christianity
Christianity
Code Golf
Code Golf
Music
Music
Physics
Physics
Linux Systems
Linux Systems
Power Users
Power Users
Tabletop RPGs
Tabletop RPGs
Community Proposals
Community Proposals
tag:snake search within a tag
answers:0 unanswered questions
user:xxxx search by author id
score:0.5 posts with 0.5+ score
"snake oil" exact phrase
votes:4 posts with 4+ votes
created:<1w created < 1 week ago
post_type:xxxx type of post
Search help
Notifications
Mark all as read See all your notifications »
Q&A

Welcome to the Power Users community on Codidact!

Power Users is a Q&A site for questions about the usage of computer software and hardware. We are still a small site and would like to grow, so please consider joining our community. We are looking forward to your questions and answers; they are the building blocks of a repository of knowledge we are building together.

Post History

77%
+5 −0
Q&A What does this suspicious URL structure do?

I (well, my spam trap) received email that I know is a scam, but I'm trying to understand how it works. The message contains a URL of the following form: https:/example.com:2096/?goto_app=Somethi...

2 answers  ·  posted 1y ago by Monica Cellio‭  ·  last activity 1y ago by Canina‭

Question urls
#3: Post edited by user avatar Canina‭ · 2023-10-31T18:25:54Z (about 1 year ago)
  • I (well, my spam trap) received email that I know is a scam, but I'm trying to understand how it works. The message contains a URL of the following form:
  • https:/example.com:2096/?goto_app=SomethingWithoutAnExtension
  • The single `/` after the protocol is suspicious, and I assume the key to a redirect that would be unfortunate. But how does this work? What's going on here?
  • I wondered if everything between the first two slashes would be ignored (I've heard of an exploit that works that way), but if so, I'm not sure how the rest of this string could do anything. There's not another layer of path that could be a URL,[^1] and the thing after `goto_app` doesn't end in `.exe` or the like. I don't know if port 2096 is special.
  • I'm not going to _try_ it to find out, but I did try going to `https:/mydomain.org` (a domain I control, not literally "mydomain"), using one slash instead of two, and Brave took me to my site. I tried looking it up in the [IETF URL spec](https://www.w3.org/Addressing/URL/url-spec.html) (is that the right place?) but I didn't find the details I was looking for (or maybe I'm looking in the wrong place).
  • How should this URL be parsed? How does this presumed scam work?
  • [^1]: If the URL were instead `https:/example.com:2096/something.com?goto...` then I would assume that everything up to the second slash is a decoy and it would take me to `htttps://something.com?...`. But there aren't enough slashes in the suspicious URL I received.
  • I (well, my spam trap) received email that I know is a scam, but I'm trying to understand how it works. The message contains a URL of the following form:
  • https:/example.com:2096/?goto_app=SomethingWithoutAnExtension
  • The single `/` after the protocol is suspicious, and I assume the key to a redirect that would be unfortunate. But how does this work? What's going on here?
  • I wondered if everything between the first two slashes would be ignored (I've heard of an exploit that works that way), but if so, I'm not sure how the rest of this string could do anything. There's not another layer of path that could be a URL,[^1] and the thing after `goto_app` doesn't end in `.exe` or the like. I don't know if port 2096 is special.
  • I'm not going to _try_ it to find out, but I did try going to `https:/mydomain.example` (a domain I control, not literally "mydomain"), using one slash instead of two, and Brave took me to my site. I tried looking it up in the [IETF URL spec](https://www.w3.org/Addressing/URL/url-spec.html) (is that the right place?) but I didn't find the details I was looking for (or maybe I'm looking in the wrong place).
  • How should this URL be parsed? How does this presumed scam work?
  • [^1]: If the URL were instead `https:/example.com:2096/something.example?goto...` then I would assume that everything up to the second slash is a decoy and it would take me to `htttps://something.example?...`. But there aren't enough slashes in the suspicious URL I received.
#2: Post edited by user avatar Monica Cellio‭ · 2023-10-31T18:00:23Z (about 1 year ago)
  • I (well, my spam trap) received email that I know is a scam, but I'm trying to understand how it works. The message contains a URL of the following form:
  • https:/example.com:2096/?goto_app=SomethingWithoutAnExtension
  • The single `/` after the protocol is suspicious, and I assume the key to a redirect that would be unfortunate. But how does this work? What's going on here?
  • I wondered if everything between the first two slashes would be ignored (I've heard of an exploit that works that way), but if so, I'm not sure how the rest of this string could do anything. There's not another layer of path that could be a URL,[^1] and the thing after `goto_app` doesn't end in `.exe` or the like. I don't know if port 2096 is special.
  • I'm not going to _try_ it to find out, but I did try going to `https:/mydomain.org` (a domain I control, not literally "mydomain"), using one slash instead of two, and Brave took me to my site. I tried looking it up in the [W3C URL spec](https://www.w3.org/Addressing/URL/url-spec.html) but I didn't find the details I was looking for (or maybe I'm looking in the wrong place).
  • How should this URL be parsed? How does this presumed scam work?
  • [^1]: If the URL were instead `https:/example.com:2096/something.com?goto...` then I would assume that everything up to the second slash is a decoy and it would take me to `htttps://something.com?...`. But there aren't enough slashes in the suspicious URL I received.
  • I (well, my spam trap) received email that I know is a scam, but I'm trying to understand how it works. The message contains a URL of the following form:
  • https:/example.com:2096/?goto_app=SomethingWithoutAnExtension
  • The single `/` after the protocol is suspicious, and I assume the key to a redirect that would be unfortunate. But how does this work? What's going on here?
  • I wondered if everything between the first two slashes would be ignored (I've heard of an exploit that works that way), but if so, I'm not sure how the rest of this string could do anything. There's not another layer of path that could be a URL,[^1] and the thing after `goto_app` doesn't end in `.exe` or the like. I don't know if port 2096 is special.
  • I'm not going to _try_ it to find out, but I did try going to `https:/mydomain.org` (a domain I control, not literally "mydomain"), using one slash instead of two, and Brave took me to my site. I tried looking it up in the [IETF URL spec](https://www.w3.org/Addressing/URL/url-spec.html) (is that the right place?) but I didn't find the details I was looking for (or maybe I'm looking in the wrong place).
  • How should this URL be parsed? How does this presumed scam work?
  • [^1]: If the URL were instead `https:/example.com:2096/something.com?goto...` then I would assume that everything up to the second slash is a decoy and it would take me to `htttps://something.com?...`. But there aren't enough slashes in the suspicious URL I received.
#1: Initial revision by user avatar Monica Cellio‭ · 2023-10-31T17:56:34Z (about 1 year ago)
What does this suspicious URL structure do?
I (well, my spam trap) received email that I know is a scam, but I'm trying to understand how it works.  The message contains a URL of the following form:

    https:/example.com:2096/?goto_app=SomethingWithoutAnExtension

The single `/` after the protocol is suspicious, and I assume the key to a redirect that would be unfortunate.  But how does this work?  What's going on here?

I wondered if everything between the first two slashes would be ignored (I've heard of an exploit that works that way), but if so, I'm not sure how the rest of this string could do anything.  There's not another layer of path that could be a URL,[^1] and the thing after `goto_app` doesn't end in `.exe` or the like.  I don't know if port 2096 is special.

I'm not going to _try_ it to find out, but I did try going to `https:/mydomain.org` (a domain I control, not literally "mydomain"), using one slash instead of two, and Brave took me to my site.  I tried looking it up in the [W3C URL spec](https://www.w3.org/Addressing/URL/url-spec.html) but I didn't find the details I was looking for (or maybe I'm looking in the wrong place).

How should this URL be parsed?  How does this presumed scam work?


[^1]: If the URL were instead `https:/example.com:2096/something.com?goto...` then I would assume that everything up to the second slash is a decoy and it would take me to `htttps://something.com?...`.  But there aren't enough slashes in the suspicious URL I received.