Slashdot Mirror

← Back to Stories (view on slashdot.org)

How To Evade URL Filters With (Not-So) Fancy Math

Posted by timothy on from the could-I-have-twice-a-half-dozen dept.

Trailrunner7 writes "In their constant quest to find new and interesting ways to abuse the Internet, attackers recently have begun using an old technique to obfuscate URLs and IP addresses to bypass URL filters and direct users to malicious sites. The technique takes advantage of the fact that modern browsers will allow users to specify IP addresses in formats other than base 10. So a typical IP address that looks something like this — 192.10.10.1 — can also be written in base 8, hexadecimal or a handful of other formats, and the browser will recognize it and take the user to the specified site. What is interesting though is that due to the relative obscurity of using such methods to denote an IP or URL, it is quite feasible that existing security products do not correctly identify the URLs as valid or flag them as malicious when they point to existing known bad websites."

3 of 162 comments (clear)

  1. Oh come on by Zouden · · Score: 5, Interesting

    It doesn't matter which way you enter the address into your browser, it still resolves to the same IP. If that IP is blocked, you won't get through even if you use this method.

    FTFA:

    it’s possible to imagine URL filtering tools having the same lack of support.

    In other words, no testing has been done at all. What is this poorly-thought-out bit of speculation doing on the front page of Slashdot?

    --
    "A week in the lab saves an hour in the library"
  2. Re:Technical details here by moreati · · Score: 4, Interesting

    don't you mean in this blog post [3273372964]

    Interestingl. Though Slashcode presented your url as typed by you, hovering over it and right-click-copy in Chromium shows the canonical dotted quad http://195.27.181.36/en/weblog?weblogid=208188044

  3. Re:Technical details here by plover · · Score: 4, Interesting

    That blog post even has a variant of obfuscation the author likely didn't intend. He mentioned octal, but used a funny notation in his google.com example:
    http://00000102.00000146.00000015.00000143/

    True octal notation simply requires a single leading zero, like this:
    http://0102.0146.015.0143/

    The cool thing is this opens a new avenue for further defeating the fixed string-based scanners. These are all equivalent:
    http://00000102.00000146.00000015.0143/
    (Slashdot makes me fill the lines with not-repetitive stuff.)
    http://00000102.00000146.00000015.00143/
    (Slashdot makes me fill the lines with not-repetitive stuff.)
    http://00000102.00000146.00000015.000143/
    (Slashdot makes me fill the lines with not-repetitive stuff.)
    http://00000102.00000146.00000015.0000143/
    (Slashdot makes me fill the lines with not-repetitive stuff.)
    http://00000102.00000146.00000015.00000143/
    Sure, a regexp would easily solve the problem, but that seems to be part of the root problem anyway.

    --
    John