PHP's function parse_url have many intressting behaviors and invalid parsing results. This is also mentioning in the official documentation of parse_url. If we where to set a port such as: 000443, most parsers in other programming language including browsers will trim the zeros since it makes no sense having zeros at the start of a port number. However, parse_url does not. Instead, parse_url will return false. This behavior can be used to force a false value, making it possible to access another code section in the application to run that may be vulnerable.

Now that you know how you can use this techniques to your advantage, you can test your practical skills in the official lab below.