Evade external url Filter

Lately i came to a web-application which allowed to enter links, but only internal ones  (not the best idea anyhow).
It presented a nice dropdown list with all the useful paths the programmer could think of. 

After confirming that the dropdown value was the value that actually was reflected and entered to the database and quite unsuccessfully trying to XSS and SQLi from here i just wanted the link to call an external url (to subframe the page).

From my previous attempts I learned the "Filter" did not like  :,http,<,>,', ... in any encoding i tried so it would not be possible to just enter http://mysite.com 

I remembered actually a trick that some social media widgets use: I tried: //mysite.com  - only to find out that // is also filtered.

But ...  /\mysite.com  did the trick on several browsers (trying to be compatible to the old IE) 

What did the programmer do wrong ?

  • First of all it is not a good idea to believe that the contents of a dropdown can not be modified by the visitor
  • Second: The final terms of the dropdown should never have shown up in the data value of the dropdown - instead there has to be an indexed list
  • Third: The entered values of an indexed list (1,2,3,...12) can easily be validated against correct inputs