Adam Katz@adamhotep@infosec.exchange
Click-trackers in email "need" to rewrite rewritten links in order to properly determine who clicked them. In longer threads, this gets a bit hilarious.
Here's the final payload at the end of an 18,660-character re-re-re-…-rewrite:
http%2525252525252525252525252525252525252525252525252525252525252525253A%2525252525252525252525252525252525252525252525252525252525252525252F%2525252525252525252525252525252525252525252525252525252525252525252Fwww.example.com%2525252525252525252525252525252525252525252525252525252525252525252F
(anonymized)
URI percent encoding uses percents, so : is %3A and / is %2F. All of those 25s are from escaped percents; %25 is %, so unescape(unescape(unescape("%25253A"))) gives you :.
That's three layers. The above example has 34 layers.