How To Evade URL Filters With (Not-So) Fancy Math 162
Trailrunner7 writes "In their constant quest to find new and interesting ways to abuse the Internet, attackers recently have begun using an old technique to obfuscate URLs and IP addresses to bypass URL filters and direct users to malicious sites. The technique takes advantage of the fact that modern browsers will allow users to specify IP addresses in formats other than base 10. So a typical IP address that looks something like this — 192.10.10.1 — can also be written in base 8, hexadecimal or a handful of other formats, and the browser will recognize it and take the user to the specified site. What is interesting though is that due to the relative obscurity of using such methods to denote an IP or URL, it is quite feasible that existing security products do not correctly identify the URLs as valid or flag them as malicious when they point to existing known bad websites."
Oh come on (Score:5, Interesting)
It doesn't matter which way you enter the address into your browser, it still resolves to the same IP. If that IP is blocked, you won't get through even if you use this method.
FTFA:
In other words, no testing has been done at all. What is this poorly-thought-out bit of speculation doing on the front page of Slashdot?
Works in Chrome (Score:4, Interesting)
All the alternate methods of specifying IP addresses for URLs work in Chrome. When you mouse over the link, you see it with the traditional decimal IP address, so it's not as obfuscated as it could be. Similarly when you reach the site, the URL displayed is in the traditional format.
Addresses like http://0xdeadbeef/ [0xdeadbeef] and http://0xdeadd00d/ [0xdeadd00d] are assigned to a Chinese telecom company (they have all of 0xdead....).
Re:Technical details here (Score:1, Interesting)
I'm using opendns.
none of the numeric URL's listed in the blog post work with it enabled
Re:Technical details here (Score:5, Interesting)
Interestingl. Though Slashcode presented your url as typed by you, hovering over it and right-click-copy in Chromium shows the canonical dotted quad http://195.27.181.36/en/weblog?weblogid=208188044 [195.27.181.36]
Re:Technical details here (Score:5, Interesting)
That blog post even has a variant of obfuscation the author likely didn't intend. He mentioned octal, but used a funny notation in his google.com example:
http://00000102.00000146.00000015.00000143/ [00000146.0...5.00000143]
True octal notation simply requires a single leading zero, like this:
http://0102.0146.015.0143/ [0146.015.0143]
The cool thing is this opens a new avenue for further defeating the fixed string-based scanners. These are all equivalent:
http://00000102.00000146.00000015.0143/ [00000146.00000015.0143]
(Slashdot makes me fill the lines with not-repetitive stuff.)
http://00000102.00000146.00000015.00143/ [00000146.00000015.00143]
(Slashdot makes me fill the lines with not-repetitive stuff.)
http://00000102.00000146.00000015.000143/ [00000146.00000015.000143]
(Slashdot makes me fill the lines with not-repetitive stuff.)
http://00000102.00000146.00000015.0000143/ [00000146.0...15.0000143]
(Slashdot makes me fill the lines with not-repetitive stuff.)
http://00000102.00000146.00000015.00000143/ [00000146.0...5.00000143]
Sure, a regexp would easily solve the problem, but that seems to be part of the root problem anyway.
Re:Technical details here (Score:4, Interesting)
I'm on Safari on OS X, and I can tell you that the link doesn't work. I get the standard Safari page saying "Can't find the server 3277....".
I tried the links in the blog post, the first three don't work, they have the same problem. The fourth link, the one padded with 0s, eventually failed because the server failed to respond (/.ing, I'm guessing).
This is the first time Safari has failed me in something geeky like this. Safari is the only browser that render's my brother's URL properly. It's one of the unicode symbols, and Safari shows it that way. Safari shows (snowman).net correctly, but FireFox turns it into xn--n3h.net [xn--n3h.net].
Of course, /. won't let me post a unicode character.
Re:wrong (Score:2, Interesting)
you just make one of your virtual host's names the same as the ip address
Usually, the default page (what you're talking about) where no Host field is provided lists possible domains you can navigate to, sometimes with URL translation or fuzzy-searches if the admin is anal. :) Failing to set this up is just poor form.
Poor form, however, is common.
Not quite new (Score:4, Interesting)
This is actually just a watered down version of a very, very old trick wherein you'd take a URL like http://3273372964/en/weblog?weblogid=208188044 [3273372964] and insert www.cnn.com@ before the ip address in long form. This of course meant the browser would try to login to the "real" website with the login "www.cnn.com". So you'd end up with a url that looked very much like it was part of CNN's website but was in fact something else entirely. I'd show you a demonstration URL, but Slashdot filters out the obfuscating part of urls formatted in that way so it would look identical.
At any rate, these days, not only do forums like Slashdot actively weed out those sorts of URLs as obvious attempts at obfuscation, but browsers pretty much universally will throw up a warning before you taking you to a website obfuscated in that manner. And as a result, that trick long ago fell out of fashion.
But it seems everything old is new again, if you wait long enough.