During my team’s security research on an authentication module for Apache2, my team and I identified an issue introduced by how the HTTP server Apache2 and modern web browsers parse URLs differently. Although the general problem of differential URL parsing has been documented publicly, I think it did not get the attention it deserved. It can impact a broad range of software and introduce vulnerabilities in critical features like authentication flows and requests to internal services.

In this blog post, I detail how differential URL parsing bugs can occur and what URL parser libraries are affected. I’ll use a recent bug that we discovered in mod_auth_openidc, a popular Apache2 module, to give you a real-life example of this pattern and then show you how to detect similar bugs in your application through differential testing easily. With this, I hope to raise awareness about these subtle bugs and add a new item to your toolbox!