Black & White Path

Jun 3, 2026 · Information Security

Why URLs Like /api/;/user/info Still Work: Server Parsing and RFC Rules

The article explains that URLs containing a semicolon, such as /api/;/user/info, are still reachable because web servers follow legacy URL‑path‑parameter parsing defined in older RFCs, treat empty parameters as harmless, and normalize the path before routing, which also introduces security considerations.