Slashdot Mirror

← Back to Stories (view on slashdot.org)

How To Evade URL Filters With (Not-So) Fancy Math

Posted by timothy on from the could-I-have-twice-a-half-dozen dept.

Trailrunner7 writes "In their constant quest to find new and interesting ways to abuse the Internet, attackers recently have begun using an old technique to obfuscate URLs and IP addresses to bypass URL filters and direct users to malicious sites. The technique takes advantage of the fact that modern browsers will allow users to specify IP addresses in formats other than base 10. So a typical IP address that looks something like this — 192.10.10.1 — can also be written in base 8, hexadecimal or a handful of other formats, and the browser will recognize it and take the user to the specified site. What is interesting though is that due to the relative obscurity of using such methods to denote an IP or URL, it is quite feasible that existing security products do not correctly identify the URLs as valid or flag them as malicious when they point to existing known bad websites."

17 of 162 comments (clear)

  1. Technical details here by TSHTF · · Score: 4, Informative

    The linked article is next to worthless. The real details are in this blog post.

    1. Re:Technical details here by TheRaven64 · · Score: 4, Informative

      OpenDNS is irrelevant. These are IP addresses, they are not domain names, so they don't need to go via DNS to be resolved. None of the links works in Safari on OS X either, but you can ping the IPs in the terminal, so it appears to be a bug (or 'security feature') in libcurl, which is what Safari uses for resolving URLs (earlier versions used CFURL, now WebKit uses libcurl directly). Checking this in the terminal shows the problem is actually deeper; libcurl passes the address to getaddrinfo(), but that fails. Trying the same command on GNU/Linux works correctly, so the glibc implementation of getaddrinfo() does handle this kind of resolution correctly. I presume that on OS X the ping utility handles its own address parsing; telnetting to 0x42.0x66.0x0d.0x63 fails in the host lookup stage.

      --
      I am TheRaven on Soylent News
    2. Re:Technical details here by ObitMan · · Score: 3, Informative

      never mind. i misread the article, sorry

      --
      Who run Barter Town?
    3. Re:Technical details here by teh+moges · · Score: 2, Informative

      It works fine for me (v3.5.8 on kubuntu)

    4. Re:Technical details here by iammani · · Score: 2, Informative

      Me too, in FF v3.6 on Windows 7

    5. Re:Technical details here by Anonymous Coward · · Score: 1, Informative

      not here. ff3.6 on windows loads the page as linked...

    6. Re:Technical details here by elfprince13 · · Score: 2, Informative

      Well, at least on Mac it doesn't know what to do with it.

    7. Re:Technical details here by Anonymous Coward · · Score: 1, Informative

      That blog post is useless as well

      http://www.pc-help.org/obscure.htm is much better, note the date of that page, 2002! Nothing new here. Google for obfuscate URL and the first 15 hits are better and more informative as well.

  2. virtual hosts by munehiro · · Score: 2, Informative

    too bad this won't pass any Host: information in the HTTP header, hence anything based on a virtual host will be unreachable through pure IP address. You will have to perform a bit more hacking to do that, and it won't defeat deep packet inspection filters.

    --
    -- "If A equals success, then the formula is A=X+Y+Z. X is work. Y is play. Z is keep your mouth shut." - Einstein
  3. Yeah But... by Greyfox · · Score: 4, Informative

    I actually preferred using a url with the 10 digit number that was my base 10 IP address in E-Mails as it got people's attention in an otherwise bland sea of domains. This has been a feature of libc as long as I can remember (in Linux you should be able to ping an IP address in some other number base) but Firefox actually makes an effort to disallow using IP addresses with this notation. So if they're using Firefox, it won't work so well.

    --

    I'm trying to teach myself to set people on fire with my mind... Is it hot in here?

  4. Big problem by Bogtha · · Score: 4, Informative

    The problem with this approach is that the requested URL doesn't provide a hostname, just the IP address. As IP addresses are in short supply, it has been an extremely common practice for years to assign multiple websites to a single IP address, otherwise known as name-based virtual hosting. This is common even for large companies. When you specify the URL with an IP address, the browser doesn't provide an appropriate Host: HTTP header, so any web server set up this way won't know which of the many websites it hosts should be returned. This means that anybody browsing the web with this technique will find that some websites work and some won't, seemingly at random to them.

    --
    Bogtha Bogtha Bogtha
  5. Parent is troll link - don't click. by Anonymous Coward · · Score: 3, Informative

    Here is some text to get past the filter.

  6. Welcome to the 20th century by Dachannien · · Score: 4, Informative

    I'm glad Slashdot is here to tell us about these things, or else I might not have found this important security bulletin.

  7. Re:0xdeadbeef by ppanon · · Score: 2, Informative

    Uh oh. Looks like you can`t Just Google It. Not only that, but they have all of 0xDEAD*

    ; <<>> DiG 9.2.4 <<>> -x 222.173.190.239
    ;; global options: printcmd
    ;; Got answer:
    ;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 44377
    ;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 0

    ;; QUESTION SECTION:
    ;239.190.173.222.in-addr.arpa. IN PTR

    ;; AUTHORITY SECTION:
    173.222.in-addr.arpa. 3600 IN SOA dns1.ctnt.com.cn. root.dns1.ctnt.com.cn. 2005100802 10800 3600 604800 3600

    ;; AUTHORITY SECTION: 173.222.in-addr.arpa. 3600 IN SOA dns1.ctnt.com.cn. root.dns1.ctnt.com.cn. 2005100802 10800 3600 604800 3600

    --
    Laissez lire, et laissez danser; ces deux amusements ne feront jamais de mal au monde. - Voltaire
  8. HTTP/1.0 Perhaps, HTTP/1.1 Unlikely by izomiac · · Score: 2, Informative

    HTTP/1.0:
    GET /index.html HTTP/1.0

    HTTP/1.1:
    GET /index.html HTTP/1.1
    Host: example.org

    If the site relies on HTTP/1.1, as is the case when multiple domains are hosted from the same IP address, then it's not possible to access the site by IP alone. OTOH, any filter worth its salt would do a reverse DNS lookup on an unknown IP, which would reveal the single domain name for an HTTP 1.0 server, rendering this technique mostly useless for HTTP packet filtering.

    Tricking HTTP proxy servers might work, if they allow CONNECT on port 80:

    CONNECT 2130706433:80 HTTP/1.1

    GET /index.html HTTP/1.1
    Host: example.geek

  9. Get prepared to have your mind blown by gqx · · Score: 5, Informative

    The author apparently does not realize this, but you can also partly concatenate octets and mix various notations:

    http://0x4a.8196963/

    And yes, congratulations on being cutting edge: this thing is so old and well-known that it's even explicitly covered in RFC 3986, section 7 ("Security Considerations"), subsection 7.4 ("Rare IP Address Formats").

  10. Re:Simple defense: by yuhong · · Score: 2, Informative

    Some modems and routers has internal DNS servers in them. For example, my family have a Westell 6100 modem from Verizon that have this feature, and dslrouter is the DNS name assigned to the modem. I'd recommend an exemption list, and include 192.168.*.* by default in it.