Hacking the URL Schema
by Tiago Epifânio (madcap)
Let's talk a little about the ancient art of generating URLs that look legit and similar to some address that you may know. There are several ways to do it.
The most common technique is called typo-squatting and relies on the typos that we make when typing an address on the address bar. Like goggle.com or paypall.com. Although we get to those malicious sites by mistyping a website address, many people would also click on a link with that URL, not really noticing the typo.
There are also homograph attacks which rely on the fact that different characters can look very similar, like the capital "I" and the lower case "L". Also there are different alphabets (Latin, Greek, Cyrillic) that have very similar symbols.
But in this article I'm going to focus on a different kind of attack called "URL Schema Obfuscation." It's so good that it allows you to create a fake URL that looks pretty normal and you don't even have to register a fake domain.
Let's say that you receive a legitimate looking link to a supposedly enraging tweet by some billionaire that you love to hate:
http://twitter.com∕elonmusk∕status∕@3264653699 |
You click on it. But instead, you're taken somewhere else. In this case, you would be taken to the home page of Phrack Magazine.
How did this happen? Let's split the above address in parts and start by the end.
The 3264653699 part, which looks like the ID of a tweet, is indeed a disguised IP address in decimal format. This is a valid format, although most people don't know.
An IP address is, in fact, a 32-bit number. It's easier to represent it in the normal dotted notation, separating it in four parts, each part having eight bits, like we usually do. But we can use it in decimal format as well.
Let's say that we want our victims to be redirected to the phrack.org website, which has the IP address: 194.150.169.131
First, start by converting each part of that address into binary format:
11000010.10010110.10101001.10000011
194. 150. 169. 131
|
Remove the dots, obtaining a 32-bit value, and then convert it to a decimal number:
Binary : 11000010100101101010100110000011 Decimal : 3264653699 |
Now, if you paste that decimal number into your browser's address bar, preceding it with http://, you will be taken to Phrack's website. Try it: http://3264653699
But what about the rest of the URL: twitter.com/elonmusk/status/@ ?
Well, this part also has some tricks in it.
First there's the at sign (@). That character, when placed before a domain name, means that you want to authenticate to that site using some username.
Let's say you wanted to sign as user jaime at the site joana-blog.net. You would type http://jaime@joana-blog.net. This is not a very common means of authentication (nor a secure one), but it's a valid one. It was common in the old days to authenticate to FTP servers.
So, at the example given above, you would be authenticating at http://3264653699 with the username: twitter.com/elonmusk/status
Kind of.
If you type that manually on your address bar, the browser will see those slashes and invalidate all that I've been saying. But instead of using regular forward slashes we can use a Unicode character that looks like a slash but is instead interpreted as a regular character.
In my example I'm using the Unicode character U+2215 (division slash). You can see more details about it here: codepoints.net/U+2215
So, after these small manipulations, you end up with a normal looking URL that will trick anyone because it looks like a valid address. That teaches us that we should be very careful when clicking random links even when they look legit (don't click links on suspicious emails, remember?).
Since this method only works when using http (instead of https), if you see a link that starts with "http://" you should probably avoid it. If in doubt, try typing the address manually into your browser.
Another thing you should do is use Firefox as your main browser. Firefox shows a warning saying that you're trying to login to a website that doesn't request authentication. Something like this:
(I wonder how many people will still click "Yes" after this message anyway.)
Unfortunately, Google Chrome doesn't show that warning. And you know what? Seven out of ten people use Google Chrome or some variant of it, which makes an attack like this pretty efficient.
This is not a complicated method, but I created a Python script to make the creation of these URLs easier:
#!/bin/python3 import sys URL_TEMPLATE = "http://{}@{}" if len(sys.argv) != 3: print("Usage: ./obfuscate_url.py <fake_address> <real_ip_address>\n" \ "Example: ./url_schema_obfuscation.py twitter.com/elonmusk 194.150.169.131") exit(-1) fake_addr = sys.argv[1] real_ip_addr = sys.argv[2] username_part = ( fake_addr.replace("http://", "") .replace("https://", "") .replace("/", "\u2215") ) ip_parts = real_ip_addr.split(".") binary_string = "" for part in ip_parts: binary_string += "{0:b}".format(int(part)) print(URL_TEMPLATE.format(username_part, int(binary_string, 2))) |
$ ./obfuscate_url.py
Usage: ./obfuscate_url.py <fake_address> <real_ip_address>
Example: ./url_schema_obfuscation.py twitter.com/elonmusk 194.150.169.131
$ ./obfuscate_url.py twitter.com/elonmusk 194.150.169.131
http://twitter.com∕elonmusk@3264653699
^
UTF-8 ∕ | Not an ASCII '/' !!!!
|
Be safe, and beware of links with an "@" sign!
Code: obfuscate_url.py