Requests: Ignore normalization URL

Created on 10 Dec 2019  ·  4Comments  ·  Source: psf/requests

In cases I would like to test Path Traversal vulnerabilities in web applications, the target URL is usually https://example.com/../../path. Using the GET method in requests, that URL will be normalized as below. Consequently, this will lead to unintended results in the test.

r = requests.get('https://example.com/../../path')
print(r.url)
# https://example.com/path

With curl, we have an option to ignore the normalization : --path-as-is. So, do we have an equivalent option for requests?

picture everping
👍4

Most helpful comment

Try using prepared request

url = "http://example.com/../something.txt"
s = requests.Session()
req = requests.Request(method='POST' ,url=url, headers=headers, data=data)
prep = req.prepare()
prep.url = url
r = s.send(prep, verify=False)
picture akmalhisyam on 13 Jan 2020
👍3

All 4 comments

@EDjur Thank you for your information. Do you know a workaround to resolve this?

everping picture everping on 10 Jan 2020

Try using prepared request

url = "http://example.com/../something.txt"
s = requests.Session()
req = requests.Request(method='POST' ,url=url, headers=headers, data=data)
prep = req.prepare()
prep.url = url
r = s.send(prep, verify=False)
akmalhisyam picture akmalhisyam on 13 Jan 2020
👍3

@akmalhisyam Thank you very much. It works well.

everping picture everping on 16 Jan 2020

@akmalhisyam is correct here. Using the PreparedRequests workflow will typically solve issues like this if you MUST explicitly set something.

nateprewitt picture nateprewitt on 10 Feb 2020
Was this page helpful?
0 / 5 - 0 ratings

Related issues

tiran picture tiran  ·  3Comments
iLaus picture iLaus  ·  3Comments
JimHokanson picture JimHokanson  ·  3Comments
Matt3o12 picture Matt3o12  ·  3Comments
remram44 picture remram44  ·  4Comments