Made by wes4m

What is this?

Google launched 8 new TLDs on May 3rd, 2023 for EAP including .zip (Link)
The security community had fun coming with all kinds of phishing ideas using it. This is a demo tool for it. It is intentionally unreliable to deter abuse. Links are deleted after 1 hour. Also any one will be able to overwrite target links within that hour.

Malicious file link

Target link

How it works?


A very common trick in phishing, and one that is also useful in trying to break URL parsers, and WAFs is to replace characters with their unicode alikes. For example, a regular "/" (0x2F) can be replaced with unicode "∕" (0x2215) resulting in a normal looking link that will actually be treated as one long string instead of a URL path.

Combine this with a host authentication URL using @. You get a [email protected] that will be treated as a normal http request.

Orange Tsai 🍊 research on SSRF is a good resource to learn more about this (Link)

Note the generated link is not (https) because of the way SSL certs are given to specific domain names. CAs don't give wildcard certs for multi-level subdomains unless you specify the domain levels. Anyway, someone targeting a file name (a version for example) can always generate a free cert for it. For this demo's sake it's http only. However, for one-level subdomains https will work just fine.



wget can take multiple urls to fetch from separated by spaces. wget [option]... [ URL ]...

If the first URL returns a 404, nothing will be fetched and it will continue on to the next one. The -qO filename.zip part can be omitted as it just there to help keep things cleaner. So by passing the target link without a filename it is expected to get a 404 for the first URL. While having the second URL be a link named similar to the actual filename.

Avoid it

Those issues are not speical to any TLD. .zip being .zip just makes it easier to fall for. It is hard to stop copy pasting commands and links or clicking URLs without carefully checking every single character. Although those are still good behaviours to work on. A more realistic approach would be to simply block .zip from your DNS. It is not an important TLD. And if someone really needs access to it, they will figure it out.