URL Obfuscation

If you know anything about the internets, you probably know what is an [tag]IP address[/tag], and what it is used for. If you don’t, I’m not gonna tell you – you will need to google it for yourself. But, not everyone knows that browsers will try to resolve IP addresses, even if they are not typed in the traditional [tag]dotted decimal notation[/tag].

After my last post, I have been asked to explain how did I [tag]obfuscate[/tag] the [tag]URL[/tag] in my example. So here is the explanation. Every IP address can be represented as dotted decimal, or a decimal [tag]dword[/tag] value.

What is a dword you ask? It is a double word – a 32 bit long binary string. In most cases a word is 16 bits long which is exactly the amount of space that you need to store a 4 digit hexadecimal value. Here is a quick refresher in binary: bin to hex conversions are very easy. All you need to do is you divide your binary string into 4 bit chunks and then covert these chunks into hex. So 0001b = 0x1, 0101b = 0x5 and 1111b = 0xF. Then you put them all together. Each 2 digit hexadecimal number like 0x2D is a byte. Put two bytes together and you have a word. Put two words together, and you have yourself a dword. Got it? Good!

Google’s IP address is 72.14.207.99. Let’s convert this into a dword. Dotted decimal notation makes it very easy:

72 = 0x48
14 = 0x0E
207 = 0xCF
99 = 0x63

Put it all together and you get 0x480ECF63. By convention, dwords are expressed in base 10 notation so take out your calculator and convert this big number into decimal and you will get 1208930147. Paste that into your address bar, and it will take you to google. Seriously – try it: http://1208930147

If you think this is to much work, here is a javascript that will do this for you. Just type in the IP address in the box and press convert.

I also used another method for obfuscation, to conceal the http:// string in my URL. As you may know, some characters cannot be part of a URL. Non-alphanumerics such as @, :, ?, % and etc all have special functionality, and the browser will try to interpret them accordingly. Thus, if you want to send these characters as parameters via GET request, they need to be URL encoded. So ? becomes %3f, @ becomes %40 and so on.

What is the pattern here? Observant readers probably already guessed it. Get the hexadecimal [tag]ASCII[/tag] value of your character, stick a % in front of it, and you are good to go! You can do this with every letter of the alphabet – so the whole URL can be encoded this way. Here is another nifty tool that will do this for you:

Please try it out. Type in google.com in the box, and click convert. The address becomes http://%67%6f%6f%67%6c%65%2e%63%6f%6d. Click on the link to make sure it works.

Most URL’s can be easily obfuscated using both techniques. However, the dword method will not always work. Go ahead, and try using it on terminally-incoherent.com. It doesn’t work! Why? Because my website can’t be accessed via IP address alone. I do not have a dedicated server – all my stuff is hosted on the same box as dozen other websites. My host then uses [tag]Apache[/tag]’s [tag]Virtual Host[/tag] functionality to properly resolve the requests. If you use the IP address alone, you will hit the default document root which currently does not contain any website. So you get an error message. You can still obfuscate it using the ASCII method though.

Have fun with these, and don’t do evil with this newly gained knowledge. :)