Skip to content

Instantly share code, notes, and snippets.

@Plazmaz

Plazmaz/url-screwiness.md Secret

Last active February 27, 2020 03:39
Show Gist options
  • Star 0 You must be signed in to star a gist
  • Fork 0 You must be signed in to fork a gist
  • Save Plazmaz/565a5cfffe2bfd2d1261d3b9656a2bc5 to your computer and use it in GitHub Desktop.
Save Plazmaz/565a5cfffe2bfd2d1261d3b9656a2bc5 to your computer and use it in GitHub Desktop.
Download ZIP
Raw
url-screwiness.md

Brief explanation

This is a list of methods for messing with urls. These are often useful for bypassing filters, SSRF, or creating convincing links that are difficult to differentiate from legitimate urls.

Paths to localhost/ip

Decimal encoded 127.0.0.1

Hex

Present in /etc/hosts of many linux devices

DNS that point at localhost

Credit: https://gist.github.com/tinogomes/c425aa2a56d289f16a1f4fcb8a65ea65

DNS rebinding

Tool: https://github.com/taviso/rbndr  
Hosted: https://lock.cmpxchg8b.com/rebinder.html

Obfuscation

Right-to-Left (RTL) characters

URL is actually https://example.org/\u202emoc.elgoog.www (\u202d can be used to flip back to LTR text).
Adding garbage makes this more convincing.

Unicode slashes

The "slash" after google is actually '⁄' (\u2044). '∕' (\u2215) also seems like a good option

Log injection/obfsucation/log nastiness

1/2. \u0008 = %08 = backspace. This might work on windows systems, particularly when displayed to console.
3. %09 = tab, can be used to wrap lines
4. %0D = \r, breaks lines
5. %0A = \n, breaks lines
6. Uses ANSI color codes. '\u001b[30mhidden', means "hidden" and text after it will be black (until \u001b[0m).
7. Blank braille pattern (\u2800)
  1. https://www.example.com/������������google.com/search
  2. https://www.example.com/%08%08%08%08%08%08%08%08%08%08%08%08%08google.com
  3. https://www.example.com/%09page
  4. https://www.example.com/%0Dpage
  5. https://www.example.com/%0Apage
  6. https://www.example.com/page/index�[30m-hidden�[0m
  7. https://www.google ⠀ ⠀ ⠀ ⠀ ⠀⠀ ⠀ ⠀ ⠀ ⠀ ⠀ ⠀ ⠀ ⠀ ⠀ ⠀ ⠀ ⠀ ⠀ ⠀ ⠀ ⠀ ⠀ ⠀ ⠀ ⠀ ⠀ ⠀ ⠀ ⠀ ⠀ ⠀ ⠀ ⠀ ⠀ ⠀ ⠀ ⠀ ⠀ ⠀ ⠀ ⠀ ⠀ ⠀ ⠀ ⠀ ⠀ ⠀ ⠀ ⠀ ⠀ ⠀ ⠀ ⠀ ⠀ ⠀ ⠀ ⠀ ⠀ ⠀ ⠀ ⠀ ⠀ ⠀ ⠀ ⠀ ⠀ ⠀ ⠀ ⠀ ⠀ ⠀ ⠀ ⠀ ⠀ ⠀ ⠀ ⠀ ⠀ ⠀ ⠀ ⠀ ⠀ ⠀ ⠀ ⠀ ⠀ ⠀ ⠀ ⠀ ⠀ ⠀ ⠀ ⠀ ⠀ ⠀ ⠀ ⠀ ⠀ ⠀ ⠀ ⠀ ⠀ ⠀ ⠀ ⠀ ⠀ ⠀ ⠀ ⠀ ⠀ ⠀ ⠀ ⠀ ⠀ ⠀ ⠀ ⠀ ⠀ ⠀ ⠀ ⠀ ⠀ ⠀ ⠀ ⠀ ⠀ ⠀ ⠀ ⠀ ⠀ ⠀.example.com

Old tricks

These should still all work in some cases!
1. Username that looks like a domain
2. Long url, may work if the start of the url is truncated
3. Long subdomain, may work if end of domain is truncated
(you can try using other characters or whitespace unicode for #2 and #3)
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment