How To Evade URL Filters With (Not-So) Fancy Math

Trailrunner7 writes "In their constant quest to find new and interesting ways to abuse the Internet, attackers recently have begun using an old technique to obfuscate URLs and IP addresses to bypass URL filters and direct users to malicious sites. The technique takes advantage of the fact that modern browsers will allow users to specify IP addresses in formats other than base 10. So a typical IP address that looks something like this — 192.10.10.1 — can also be written in base 8, hexadecimal or a handful of other formats, and the browser will recognize it and take the user to the specified site. What is interesting though is that due to the relative obscurity of using such methods to denote an IP or URL, it is quite feasible that existing security products do not correctly identify the URLs as valid or flag them as malicious when they point to existing known bad websites."

Re:Technical details here

[AnEducatedNegro]

don't you mean in this blog post?

Oh come on

[Zouden]

It doesn't matter which way you enter the address into your browser, it still resolves to the same IP. If that IP is blocked, you won't get through even if you use this method.

FTFA:

it’s possible to imagine URL filtering tools having the same lack of support.

In other words, no testing has been done at all. What is this poorly-thought-out bit of speculation doing on the front page of Slashdot?

Get prepared to have your mind blown

[gqx]

The author apparently does not realize this, but you can also partly concatenate octets and mix various notations:

http://0x4a.8196963/

And yes, congratulations on being cutting edge: this thing is so old and well-known that it's even explicitly covered in RFC 3986, section 7 ("Security Considerations"), subsection 7.4 ("Rare IP Address Formats").