DEVIL'S BLOG ON SECURITY

A DEVIL'S BLOG ON COMPUTER AND INFORMATION SECURITY, ETHICAL HACKING AND COUNTERMEASURES

Learn Ethical Hacking | Learn Hacking Online | Learn How To Hack|Hack Counter Hack| Ethical Hacking Tutorials

Home   ||   See All Tutorials  ||   Products  ||   About This Blog   ||  Subscribe To RSS Feed


Join facebook group THE HACKER DEVIL

URL Obfuscation | Hide URL

URL Obfuscation | Hide URL

In this following post we will have our look on hiding URL using different URL obfuscation methods. Depending upon how obfuscation is done they are classified as,

-Host Name URL Obfuscation
-Encoded URL Obfuscation
-Cross Site URL obfuscation
-Mixed

Host Name URL Obfuscation:
Usually when we communicate with any website we are familiar with only fully qualified domain names like www.abcd.com or http://abcd.com. But you might b knowing several of them actually use a URL redirection service that means when you type its URL in address bar it redirects to some other URL. For example type www.gmail.com in your web browser it will turn into,
https://www.google.com/accounts/ServiceLogin?service=mail&passive=true&rm=false&continue=http%3A%2F%2Fmail.google.com%2Fmail%2F%3Fui%3Dhtml%26zy%3Dl&bsv=llya694le36z&scc=1&ltmpl=default&ltmplcache=2
similar happens with www.yahoomail.com it turns into mail.yahoo.com it is done with help of URL redirection and whenever they send email to their user they are served with redirected URL. For example,
sitename:redirect@mainsite.com

Since for user this type of URL is common from his account he/she would not mind an another redirected URL if his/her bank also uses it. Attacker might take advantage of this and send a URL with redirection but not with name or URL but with its IP address so a obfuscated URL may appear as,
sitename:redirect@117.98.09.23/index.html

Click on following link to get a practical example,
http://gmail@bit.ly/dolod
http://mail.yahoo@http://nrupentheking.blogspot.com

both links will redirect to http://nrupentheking.blogspot.com. Sorry instead of IP address I used URL since I don't have my own server.
Now the victim may have hard time to detect the URL is obfuscated. But attacker will not take chances so rather than representing IP address in its regular decimal form he/she may use another IP address representation method. Other method of IP address representations are in form of DWORD, Binary, Octal, Hexadecimal and even mixed. For example the IP address 117.98.09.23 can be represented in all following forms,
Decimal: 117.98.09.23
Binary: 1110101.110010.1001.10111
Octal: 0165.0142.011.027
Hexadecimal: 0x75.0x62.0x9.0x1b or 0x7563901b
DWORD: 117 * 256 * 98 * 256 * 9 * 23 = ?
Mixed: 1110101. 0165. 0x75.23
so rather than using a fully qualified domain name an attacker may use any above obfuscation method.
Encoded URL Obfuscation:
Now to support local languages over Internet applications such as web browsers, ftp browsers, email clients, IRC's etc support several character encoding methods, so an attacker may take advantage of this facility by trying to get a specially encoded URL. Please note that there might be several encoding methods available depending on locale of region, here we will have look on universal encoding methods only, by the way your web browser supports 90% of all types of encoding including universal ones. There are three types of universal character encoding methods,
-Escape Encoding
-Unicode Encoding
-UTF-8 Encoding
All of them are done with help of encoding software. Now how to detect them, a URL obfuscated with escape encoding method will have several % symbol post-fixed by two hexadecimal number (example: %20). A uni coded URL will have several %u symbols post-fixed by Unicode character's number (example %u0000 %u01FC ) as you can see number can be represented in any number system may it be binary, decimal, hexadecimal or octal. Next is UTF i.e Unicode Transfer Format, it is most used URL obfuscation method because UTF offers representation of single character in multiple ways (example: %2E or %C0%AE or %F0%80%80%AE all represent a period symbol and possibilities doesn't end here).
Cross Site URL Obfuscation:
This type of obfuscation is possible if the site is vulnerable to XSS attack. An attacker manages to call his/her own phished page with help of XSS vulnerability if available. For example consider some website www.abcd.com is vulnerable to HTML substitution XSS attack then most probably its URL will appear as following,
www.abcd.com/fetchurl?URL=index.html

from above we can conclude that abcd uses a script names fetchurl to display pages. The page index.html is surely stored in root folder of abcd server now what if attacker replaces index.html with url of phished site then above URL will appear as follows,
www.abcd.com/fetchurl?URL=http://phishedpage.com/index.html

there's no doubt many will fall prey to it. For this type of obfuscation the site must be vulnerable to XSS attack.
Mixed URL Obfuscation:
In mixed URL obfuscation an attacker obfuscates URL by using all methods discussed above.

I know this topic might be little difficult to understand, but I tried my best to keep it as simple as I can. I hope you'll not encounter problem understanding it. Thanks for reading and keep visiting.
Posted by Nrupen Masram
Labels:

Free Ethical Hacking Training | Learn Ethical Hacking Online Free | Learn How To Hack | Hack Counter Hack | Ethical Hacking Tutorials | Devil's Blog On Security