Beta
×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

How To Evade URL Filters With (Not-So) Fancy Math

timothy posted more than 4 years ago | from the could-I-have-twice-a-half-dozen dept.

Security 162

Trailrunner7 writes "In their constant quest to find new and interesting ways to abuse the Internet, attackers recently have begun using an old technique to obfuscate URLs and IP addresses to bypass URL filters and direct users to malicious sites. The technique takes advantage of the fact that modern browsers will allow users to specify IP addresses in formats other than base 10. So a typical IP address that looks something like this — 192.10.10.1 — can also be written in base 8, hexadecimal or a handful of other formats, and the browser will recognize it and take the user to the specified site. What is interesting though is that due to the relative obscurity of using such methods to denote an IP or URL, it is quite feasible that existing security products do not correctly identify the URLs as valid or flag them as malicious when they point to existing known bad websites."

cancel ×

162 comments

Sorry! There are no comments related to the filter you selected.

First Post (-1, Troll)

Anonymous Coward | more than 4 years ago | (#31591180)

This first post is in the name of GNAA

Re:First Post (-1, Troll)

Anonymous Coward | more than 4 years ago | (#31591200)

If you say so, chief.

Technical details here (4, Informative)

TSHTF (953742) | more than 4 years ago | (#31591196)

The linked article is next to worthless. The real details are in this blog post. [viruslist.com]

Re:Technical details here (5, Funny)

AnEducatedNegro (1372687) | more than 4 years ago | (#31591232)

don't you mean in this blog post [3273372964] ?

Re:Technical details here (4, Interesting)

moreati (119629) | more than 4 years ago | (#31591828)

don't you mean in this blog post [3273372964]

Interestingl. Though Slashcode presented your url as typed by you, hovering over it and right-click-copy in Chromium shows the canonical dotted quad http://195.27.181.36/en/weblog?weblogid=208188044 [195.27.181.36]

Re:Technical details here (0)

Anonymous Coward | more than 4 years ago | (#31591958)

Firefox doesn't exhibit this behavior.

Re:Technical details here (1)

trapnest (1608791) | more than 4 years ago | (#31592308)

Yeah, firefox attempts to load this: http://www.3273372964.com/en/weblog?weblogid=208188044 [3273372964.com]

Re:Technical details here (1, Informative)

Anonymous Coward | more than 4 years ago | (#31592412)

not here. ff3.6 on windows loads the page as linked...

Re:Technical details here (3, Interesting)

MBCook (132727) | more than 4 years ago | (#31592590)

I'm on Safari on OS X, and I can tell you that the link doesn't work. I get the standard Safari page saying "Can't find the server 3277....".

I tried the links in the blog post, the first three don't work, they have the same problem. The fourth link, the one padded with 0s, eventually failed because the server failed to respond (/.ing, I'm guessing).

This is the first time Safari has failed me in something geeky like this. Safari is the only browser that render's my brother's URL properly. It's one of the unicode symbols, and Safari shows it that way. Safari shows (snowman).net correctly, but FireFox turns it into xn--n3h.net [xn--n3h.net] .

Of course, /. won't let me post a unicode character.

Re:Technical details here (1)

MBCook (132727) | more than 4 years ago | (#31592604)

Slight clarification: My brother doesn't own (snowman).net, he has a URL with a unicode character in it. (snowman).net was an example I found.

Re:Technical details here (1)

elfprince13 (1521333) | more than 4 years ago | (#31592252)

Firefox can't even figure out how to open that.

Re:Technical details here (2, Informative)

teh moges (875080) | more than 4 years ago | (#31592320)

It works fine for me (v3.5.8 on kubuntu)

Re:Technical details here (2, Informative)

iammani (1392285) | more than 4 years ago | (#31592354)

Me too, in FF v3.6 on Windows 7

Re:Technical details here (2, Informative)

elfprince13 (1521333) | more than 4 years ago | (#31592440)

Well, at least on Mac it doesn't know what to do with it.

Re:Technical details here (1, Interesting)

ObitMan (550793) | more than 4 years ago | (#31591374)

I'm using opendns.
none of the numeric URL's listed in the blog post work with it enabled

Re:Technical details here (4, Informative)

TheRaven64 (641858) | more than 4 years ago | (#31591550)

OpenDNS is irrelevant. These are IP addresses, they are not domain names, so they don't need to go via DNS to be resolved. None of the links works in Safari on OS X either, but you can ping the IPs in the terminal, so it appears to be a bug (or 'security feature') in libcurl, which is what Safari uses for resolving URLs (earlier versions used CFURL, now WebKit uses libcurl directly). Checking this in the terminal shows the problem is actually deeper; libcurl passes the address to getaddrinfo(), but that fails. Trying the same command on GNU/Linux works correctly, so the glibc implementation of getaddrinfo() does handle this kind of resolution correctly. I presume that on OS X the ping utility handles its own address parsing; telnetting to 0x42.0x66.0x0d.0x63 fails in the host lookup stage.

Re:Technical details here (1)

ObitMan (550793) | more than 4 years ago | (#31592086)

my point is using this these links to phish may not work if someone is using opendns.
i get the message
"You tried to visit 0x42.0x66.0x0d.0x63, which is not loading."

tested with firefox on a mac/linux and xp

Re:Technical details here (1)

Kral_Blbec (1201285) | more than 4 years ago | (#31592364)

And his is that since you arent putting in a domain name, your dns server is irrelevant. It is never contacted.

For what it is worth, I also use OpenDNS and that loads just fine. You are probably putting a www in front, in which case it will try to resolve as a domain name and not as an IP.

See the difference between http://0x42.0x66.0x0d.0x63/ [0x66.0x0d.0x63] and http://www.0x42.0x66.0x0d.0x63/ [0x66.0x0d.0x63]

Re:Technical details here (3, Informative)

ObitMan (550793) | more than 4 years ago | (#31592202)

never mind. i misread the article, sorry

Re:Technical details here (0)

Anonymous Coward | more than 4 years ago | (#31591624)

If your browser is performing a dns lookup for http://3273372964/en/weblog?weblogid=208188044 [3273372964] it is doing it wrong. Please report it to the developer and use a better browser.

Re:Technical details here (1)

amicusNYCL (1538833) | more than 4 years ago | (#31591642)

The browser is responsible for this, not DNS. When I hover over the links, such as the post above yours or those in TFA, I see in the status bar the normal octet IP. So the browser does that translation, not DNS. In fact, I see this text above:

don't you mean in this blog post [3273372964]?

But when I hover over that or copy the link, I get this:

http://195.27.181.36/en/weblog?weblogid=208188044 [195.27.181.36]

Re:Technical details here (1)

ObitMan (550793) | more than 4 years ago | (#31592064)

I understand that the browser does the translation.
using firefox on a Mac at the moment.
when i click on the numeric google links in the blog you linked to, opendns returns its block or search page.
my point is using this these links to phish may not work if someone is using opendns.

Re:Technical details here (1)

ObitMan (550793) | more than 4 years ago | (#31592196)

never mind. i misread the article

Re:Technical details here (1)

BitZtream (692029) | more than 4 years ago | (#31592046)

Interestingly enough, OpenDNS has nothing to do with your broken browser!

'Numeric' or rather IP addresses in forms other than dotted quad are still just IP addresses and they do not get 'looked up' in DNS when connecting to a host. Even if they did, they'd all be sent as a 32bit integer to opendns anyway (as thats the way the DNS protocol works) so once again, opendns can not provide any sort of special treatment to URLs with ips used that way.

They work the exact same even if you have no DNS configured. DNS is not involved.

They are processed by the URL parser software used in applications that work with them such as web browsers. If they just 'dont work' for you at all then your web browser is broken and can't parse RFC compliant URLs. Its possible that it has been broken intentionally as a safety feature to prevent stupid people from clicking bad/deceptive links but it is broken none the less.

Re:Technical details here (1)

ObitMan (550793) | more than 4 years ago | (#31592176)

after re-reading everything i see where the problem is.

i goobered in my original assumption

Re:Technical details here (0)

Anonymous Coward | more than 4 years ago | (#31591558)

I usually just piss on the firewall at specific spots and it seems to let me bypass the filters.

Re:Technical details here (1)

Bengie (1121981) | more than 4 years ago | (#31591972)

I learned about this back in 2002 in my Network security class

Re:Technical details here (4, Interesting)

plover (150551) | more than 4 years ago | (#31592486)

That blog post even has a variant of obfuscation the author likely didn't intend. He mentioned octal, but used a funny notation in his google.com example:
http://00000102.00000146.00000015.00000143/ [00000146.0...5.00000143]

True octal notation simply requires a single leading zero, like this:
http://0102.0146.015.0143/ [0146.015.0143]

The cool thing is this opens a new avenue for further defeating the fixed string-based scanners. These are all equivalent:
http://00000102.00000146.00000015.0143/ [00000146.00000015.0143]
(Slashdot makes me fill the lines with not-repetitive stuff.)
http://00000102.00000146.00000015.00143/ [00000146.00000015.00143]
(Slashdot makes me fill the lines with not-repetitive stuff.)
http://00000102.00000146.00000015.000143/ [00000146.00000015.000143]
(Slashdot makes me fill the lines with not-repetitive stuff.)
http://00000102.00000146.00000015.0000143/ [00000146.0...15.0000143]
(Slashdot makes me fill the lines with not-repetitive stuff.)
http://00000102.00000146.00000015.00000143/ [00000146.0...5.00000143]
Sure, a regexp would easily solve the problem, but that seems to be part of the root problem anyway.

Re:Technical details here (0)

Anonymous Coward | more than 4 years ago | (#31592644)

Good one /. - Now the Chinese will block this too.

virtual hosts (2, Informative)

munehiro (63206) | more than 4 years ago | (#31591198)

too bad this won't pass any Host: information in the HTTP header, hence anything based on a virtual host will be unreachable through pure IP address. You will have to perform a bit more hacking to do that, and it won't defeat deep packet inspection filters.

Re:virtual hosts (1)

MichaelSmith (789609) | more than 4 years ago | (#31591252)

Great for proxies (etc) though.

How about (ab)using a service for testing your web site on different browsers? It sends back a picture of the specified page.

Re:virtual hosts (1)

duguk (589689) | more than 4 years ago | (#31591390)

too bad this won't pass any Host: information in the HTTP header, hence anything based on a virtual host will be unreachable through pure IP address. You will have to perform a bit more hacking to do that, and it won't defeat deep packet inspection filters.

Actually, it does pass the original URL through on the Host header. (I realise it won't work on existing sites without it in as an alias, but it is interesting!)

I was surprised too, but tried it out myself yesterday, expecting the browser to rewrite it to IP and send that as the host, at least, it doesn't in Firefox. I suspect it may vary per browser; possibly.

Go have a look at http://0x40167cc8/ [0x40167cc8] and compare with http://64.22.124.200/ [64.22.124.200] .

Re:virtual hosts (1)

MichaelSmith (789609) | more than 4 years ago | (#31591414)

I suspect following those links would get me sacked.

Re:virtual hosts (1)

networkBoy (774728) | more than 4 years ago | (#31591546)

FWIF, I pulled up a known blacklisted site at work with this method (felt it was safer than random /. links). Still blocked. In addition the proxy returned the known DNS name the 'IP' corresponded to.
-nB

Re:virtual hosts (1)

duguk (589689) | more than 4 years ago | (#31591716)

FWIF, I pulled up a known blacklisted site at work with this method (felt it was safer than random /. links). Still blocked. In addition the proxy returned the known DNS name the 'IP' corresponded to. -nB

Honestly, it's not a dodgy link! Don't blame you though, really.

Websense by any chance? That seem to be aware of it. This is an old trick really, it's well mentioned on the internets. Am surprised about the host header though.

Re:virtual hosts (1)

duguk (589689) | more than 4 years ago | (#31591676)

Unless your company doesn't like webdesigners/pc repair companies, or had a problem with plain text pages containing a short hex code; I doubt it!

This one might though: http://www.naughtyapes.co.uk/ [naughtyapes.co.uk] . But probably not.

Still, you get the point right? That the host header is passed on despite it being an IP in Hex notation?

102 105 114 115 116 112 111 115 116 33 (0)

Anonymous Coward | more than 4 years ago | (#31591208)

102 105 114 115 116 112 111 115 116 33

Re:102 105 114 115 116 112 111 115 116 33 (1)

WrongSizeGlass (838941) | more than 4 years ago | (#31591246)

Man, those are the worst lottery numbers ever ... plus, they're not even in numerical order.

Re: Lottery (1)

TaoPhoenix (980487) | more than 4 years ago | (#31591614)

Where do Hurley's numbers from Lost go?

Re:102 105 114 115 116 112 111 115 116 33 (4, Funny)

bytethese (1372715) | more than 4 years ago | (#31591284)

That's the same combination I have on my luggage!

Re:102 105 114 115 116 112 111 115 116 33 (1)

maxwell demon (590494) | more than 4 years ago | (#31591402)

I think there's a 32 missing between the 116 and the 112. Also instead of 102 you should have used 70.

Re:102 105 114 115 116 112 111 115 116 33 (1)

plover (150551) | more than 4 years ago | (#31592518)

102 105 114 115 116 112 111 115 116 33

Oh, that's like my scary octal dream. I think I even saw an 8!

0xdeadbeef (2, Funny)

Anonymous Coward | more than 4 years ago | (#31591244)

Hrm... wonder how much the owner of the ip at 0xdeadbeef wants for it... :D

Re:0xdeadbeef (1)

dotgain (630123) | more than 4 years ago | (#31591382)

[pinky to mouth] 0x174876E800 dollars!

Re:0xdeadbeef (2, Informative)

ppanon (16583) | more than 4 years ago | (#31591576)

Uh oh. Looks like you can`t Just Google It. Not only that, but they have all of 0xDEAD*

; <<>> DiG 9.2.4 <<>> -x 222.173.190.239
;; global options: printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 44377
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 0

;; QUESTION SECTION:
;239.190.173.222.in-addr.arpa. IN PTR

;; AUTHORITY SECTION:
173.222.in-addr.arpa. 3600 IN SOA dns1.ctnt.com.cn. root.dns1.ctnt.com.cn. 2005100802 10800 3600 604800 3600

;; AUTHORITY SECTION: 173.222.in-addr.arpa. 3600 IN SOA dns1.ctnt.com.cn. root.dns1.ctnt.com.cn. 2005100802 10800 3600 604800 3600

Re:0xdeadbeef (0)

Anonymous Coward | more than 4 years ago | (#31591598)

It's in China...

inetnum: 222.173.0.0 - 222.175.255.255
netname: CHINANET-SD
descr: CHINANET SHANDONG PROVINCE NETWORK
descr: Shandong Telecom Corporation
descr: No.999,Shunhua road,Jinan,Shandong
country: CN
admin-c: XR55-AP
tech-c: CH93-AP
mnt-by: APNIC-HM
mnt-lower: MAINT-CHINANET-SD
mnt-routes: MAINT-CHINANET-SD

Yeah But... (4, Informative)

Greyfox (87712) | more than 4 years ago | (#31591262)

I actually preferred using a url with the 10 digit number that was my base 10 IP address in E-Mails as it got people's attention in an otherwise bland sea of domains. This has been a feature of libc as long as I can remember (in Linux you should be able to ping an IP address in some other number base) but Firefox actually makes an effort to disallow using IP addresses with this notation. So if they're using Firefox, it won't work so well.

Re:Yeah But... (1)

rubycodez (864176) | more than 4 years ago | (#31592092)

eh?, my firefox 3.5.8 does http://3626153264/ [3626153264] just fine (that's it.slashdot.org by the way)

as others have pointed out, doesn't matter to any sane filtering system, the same numeric IP is emitted over the network by your computer anyway regardless of numerical base in browser

Time For... (1)

bytethese (1372715) | more than 4 years ago | (#31591266)

...a snort inline installation.

Simple defense: (1)

gman003 (1693318) | more than 4 years ago | (#31591276)

Never follow a link that isn't a DNS name. Someone should write an addon that disables IP addresses for links, since they are almost always pointed at evil sites anyways. The only time I enter an IP is to connect to one machine on the LAN.

Re:Simple defense: (3, Insightful)

DavidRawling (864446) | more than 4 years ago | (#31592510)

Unfortunately you now cannot configure your ADSL modem until you install and configure local DNS and add the modem to the zone. Hardly something most grandmothers can do.

Firefox patch available (-1, Troll)

Anonymous Coward | more than 4 years ago | (#31591280)

here [nimp.org]

Parent is troll link - don't click. (3, Informative)

Anonymous Coward | more than 4 years ago | (#31591434)

Here is some text to get past the filter.

Re:Parent is troll link - don't click. (1)

trapnest (1608791) | more than 4 years ago | (#31592358)

There are people on the internet that don't know what nimp.org is? lol

Oh come on (5, Interesting)

Zouden (232738) | more than 4 years ago | (#31591300)

It doesn't matter which way you enter the address into your browser, it still resolves to the same IP. If that IP is blocked, you won't get through even if you use this method.

FTFA:

it’s possible to imagine URL filtering tools having the same lack of support.

In other words, no testing has been done at all. What is this poorly-thought-out bit of speculation doing on the front page of Slashdot?

Re:Oh come on (1)

PCM2 (4486) | more than 4 years ago | (#31591408)

It doesn't matter which way you enter the address into your browser, it still resolves to the same IP. If that IP is blocked, you won't get through even if you use this method.

Unless, I guess, your filter allows you to specify IP addresses to be filtered as strings and then compares them to the addresses of requests as strings. It would be lazy, sloppy, bad programming -- but that's never stopped anyone.

Still, that behavior would be trivial enough to fix.

Re:Oh come on (1)

Lehk228 (705449) | more than 4 years ago | (#31592056)

especially likely since the "easy" way would be to include the IP's in the list of blocked domains and let the text matching of the domain blocker do the work

Re:Oh come on (0)

Anonymous Coward | more than 4 years ago | (#31592212)

How does someone with a UID that low make such a stupid statement?

No matter how you try to obfuscate the destination - a base-10 "number", octal, binary, who effing cares how - it still goes out on the wire as an IP packet with a destination address field, either sourced from your desktop or your proxy. Packets don't lie.

In fact, as a security type person for a large corporation, this kind of evasion would just piss me off and motivate me to send HR on your ass and get you written up for evading the standard web controls.

Re:Oh come on (1)

OopsIDied (1764436) | more than 4 years ago | (#31591424)

It's true, I tried this at school three years ago and no matter what way I put the IP in, the site was blocked. Might as well use Tor. If you're on XP it's a matter of a flash drive and C:\Windows\System32\at.exe to run any program you want

Re:Oh come on (1)

DarkOx (621550) | more than 4 years ago | (#31592154)

Only if your admin either, does not really care or is terrible at building GPOs

Re:Oh come on (1)

Judinous (1093945) | more than 4 years ago | (#31591440)

Yeah, the only thing that I can imagine this possibly affecting would be the browser's phishing filters.

Re:Oh come on (1)

mysidia (191772) | more than 4 years ago | (#31591700)

Unless it's a filter that simple lookup by IP already circumvents. Or its a client-side filter/phishing site blocker that checks only the user-entered/user-clicked URL string against a blacklist (not the IP it resolves to)

Re:Oh come on (1)

Sigma 7 (266129) | more than 4 years ago | (#31591730)

If that IP is blocked, you won't get through even if you use this method.

True, but if you block by IP, you risk blocking other sites on the same host. For example, a medium-sized business may think they're blocking access to http://ebay.com/ [ebay.com] , but suddenly discover they're also blocking the revenue source http://paypal.com/ [paypal.com] .

Technically, multiple sites shouldn't be on the same page, but...

Re:Oh come on (0)

Anonymous Coward | more than 4 years ago | (#31592008)

Do you mean shouldn't be on the same host?

Re:Oh come on (1)

Spit (23158) | more than 4 years ago | (#31591736)

Thankfully octal and hex are easy to regexp in squid. All hail Squid!

Re:Oh come on (0)

Anonymous Coward | more than 4 years ago | (#31591924)

If there is just a content filter, then this method can work.

Re:Oh come on (2, Insightful)

BitZtream (692029) | more than 4 years ago | (#31591984)

You do realize this is a timothy post ... right?

Works in Chrome (3, Interesting)

crow (16139) | more than 4 years ago | (#31591310)

All the alternate methods of specifying IP addresses for URLs work in Chrome. When you mouse over the link, you see it with the traditional decimal IP address, so it's not as obfuscated as it could be. Similarly when you reach the site, the URL displayed is in the traditional format.

Addresses like http://0xdeadbeef/ [0xdeadbeef] and http://0xdeadd00d/ [0xdeadd00d] are assigned to a Chinese telecom company (they have all of 0xdead....).

Re:Works in Chrome (1)

jittles (1613415) | more than 4 years ago | (#31591316)

This is not a new problem. I worked for an ISP in 1999 and we saw attackers using this back then.

Crap articles aren't a new problem either (1)

simplypeachy (706253) | more than 4 years ago | (#31591644)

Nor is it out of general use - I see phishes using them often. Privoxy is my friend. I've been blocking these since about 2007:

.0x*./
.[0-9][0-9][0-9][0-9][0-9][0-9][0-9][0-9]/
.[0-9][0-9][0-9][0-9][0-9][0-9][0-9][0-9][0-9][0-9]/
(Must try the new extended host name pattern matching)

And the lesson people don't learn is... (4, Insightful)

Estanislao Martnez (203477) | more than 4 years ago | (#31591360)

You can't just do things like this based on the syntax of the input, but rather on the semantics. In this case, to properly block the URLs, you need to parse them and transform them into an abstract representation of what they mean, e.g. a struct that encodes the protocol, host, port, document and query strings, and then examine the parse result to check if it matches the rule.

The IT industry just systematically fails this over and over, because of people's bad habit of doing shit with regular expressions instead of parsing and semantic analysis. See, for example, the gazillion ways that people get around cross-site scripting filters; or if you want to see it from the other angle (generation instead of parsing), see SQL injection.

Re:And the lesson people don't learn is... (1)

mick232 (1610795) | more than 4 years ago | (#31591686)

You're right. Equally important is the question: why do we have to be able specify IP adresses in more than one number format? I don't see any benefit in that.

Re:And the lesson people don't learn is... (1)

Estanislao Martnez (203477) | more than 4 years ago | (#31591750)

Equally important is the question: why do we have to be able specify IP adresses in more than one number format? I don't see any benefit in that.

Indeed. That points to another rule, I think, from the protocol/language design side: the syntax should be as closely isomorphic to the semantics as possible. 10 different ways to say the same thing means 10 different ways things can go wrong.

Re:And the lesson people don't learn is... (0)

Anonymous Coward | more than 4 years ago | (#31592332)

Because the computer doesn't really understand IP addresses. To the computer, it sees one 32-bit number. People aren't really good at memorizing numbers, so dotted-octet IP notation was designed. It isn't that we have the ability to enter a number (in any of the many ways any given number can be written) and have it interpreted as an IP. It's that we have the ability to enter an IP and have it converted into a number.

Re:And the lesson people don't learn is... (1)

Estanislao Martnez (203477) | more than 4 years ago | (#31592674)

Because the computer doesn't really understand IP addresses. To the computer, it sees one 32-bit number. People aren't really good at memorizing numbers, so dotted-octet IP notation was designed. It isn't that we have the ability to enter a number (in any of the many ways any given number can be written) and have it interpreted as an IP. It's that we have the ability to enter an IP and have it converted into a number.

But you see, the point is that there should be three levels of abstraction here, not two:

  1. The low-level computer representation of a 32-bit number. This is where the checks whether two IP addresses are the same should happen.
  2. The canonical textual representation of IP addresses, as used in textual URLs. This is where GP and I think the protocols allow for too much flexibility. Our argument the claim is that as far as the protocol is concerned, each IP address should ideally have just one unique textual representation, and applications should just reject URLs that don't fit the canonical representation. This simplifies applications that have to deal with that protocol.
  3. Tools and libraries that take some input to generate textual representations of URLs. Such tools may take non-canonical representation of IP addresses in hex, base 10, or whatever they want, as long as they can spit out the correct representation in #2 for the benefit of other applications that implement the protocol. I.e., if your application wants to be able to deal with IP addresses represented in texually as hex, octal and decimal numerals, fine, but it shouldn't be allowed to assume that other applications will accept such encodings. It should convert its internal representations into the normal form before it sends stuff over the wire.

...and then, what? windows reinstalls? (1)

h00manist (800926) | more than 4 years ago | (#31591366)

So a URL isn't filtered. What happens then? Windows gets reinstalled. Not automatically, of course. Perhaps techies get another job. Or someone's pc gets a job, for some botnet. Makes internet life eventful, I guess.

Re:...and then, what? windows reinstalls? (1)

Lehk228 (705449) | more than 4 years ago | (#31592084)

your boss walks in while you have goatse on your screen

Re:...and then, what? windows reinstalls? (1)

plover (150551) | more than 4 years ago | (#31592566)

your boss walks in while you have goatse on your screen

Hey, boss, come look at my new "magic mirror" app. It uses the web cam to display people as they truly are!

*fired*

But some days it would be soooo worth it.

Big problem (4, Informative)

Bogtha (906264) | more than 4 years ago | (#31591404)

The problem with this approach is that the requested URL doesn't provide a hostname, just the IP address. As IP addresses are in short supply, it has been an extremely common practice for years to assign multiple websites to a single IP address, otherwise known as name-based virtual hosting. This is common even for large companies. When you specify the URL with an IP address, the browser doesn't provide an appropriate Host: HTTP header, so any web server set up this way won't know which of the many websites it hosts should be returned. This means that anybody browsing the web with this technique will find that some websites work and some won't, seemingly at random to them.

Why? (4, Insightful)

Anonymous Coward | more than 4 years ago | (#31591432)

Who thought it was a good idea to allow IP addresses to be entered in so many different formats? Who are you to decide that 0x01 is not a domain name? This is a feature which is hardly ever going to be used legitimately, but the code must be written and tested. KISS. Keep it simple, stupid.

Re:Why? (1)

maxwell demon (590494) | more than 4 years ago | (#31591534)

Are those hex formats actually RFC conforming? It might be just the result of using %i instead of %d in a scanf format string.

Re:Why? (1)

networkBoy (774728) | more than 4 years ago | (#31591572)

0x01 can not a domain name be, 0x01.(com|net|org|etc...) can.

Re:Why? (0)

Anonymous Coward | more than 4 years ago | (#31591602)

0x01 could be TLD.

Re:Why? (1)

McNally (105243) | more than 4 years ago | (#31591872)

0x01 can not a domain name be, 0x01.(com|net|org|etc...) can.

You're describing a "fully qualified domain name [wikipedia.org] ", not a "domain name".

Re:Why? (0)

Anonymous Coward | more than 4 years ago | (#31592254)

who thought it was a good idea to provide security by blacklisting ip address?

Welcome to the 20th century (4, Informative)

Dachannien (617929) | more than 4 years ago | (#31591520)

I'm glad Slashdot is here to tell us about these things, or else I might not have found this important security bulletin [mitre.org] .

Re:Welcome to the 20th century (0)

Anonymous Coward | more than 4 years ago | (#31591740)

wheew I thought I was getting old and forgetful ... first thought was I remember futzing with this like 10 years ago... guess I was right... OMG does that mean I really did kill that waiter and hide his body in a dumpster??!?!?!?

What is the point? (1)

Marrow (195242) | more than 4 years ago | (#31591538)

You can have a hundred dns records point to the same "hacked" site. So wha'ts the point of this.

If its broken, its broken. This analysis is just adding complexity and air-time to no purpose.

The basic fact is that we have incredibly complicated software tools (browsers) that are designed
to feed on an arbitrarily large set of untrusted, malicious, infected data. The browsers are in fact
-designed- to go behind your back to download data from servers you never queried and did
not know existed. They can and will do this -randomly- or at the discretion of people who want
to harm you.

The software browsers on most of the machines in the world operate with the ability to modify
any file in the host computer. Even if they are prevented from changing some files, it only
takes certain files to make the entire system untrustworthy.

Its broken. I love the web. But its broken by design.

Re:What is the point? (1)

mysidia (191772) | more than 4 years ago | (#31591946)

The software browsers on most of the machines in the world operate with the ability to modify
any file in the host computer. Even if they are prevented from changing some files, it only takes certain files to make the entire system untrustworthy.

Its broken. I love the web. But its broken by design.

What makes you think this design has anything to do with the web?

On a unix system, you can make a user just for browsing the web with, with no special permissions.

Have a script run every week to delete and re-create that user, scrapping all cookies and preferences files every time.

Then there's very little a web browser can change, really.

There's also nothing inherent about web browser technology that browsers have to have such permissions by disign -- or even anything by design that they have to provide silent cross-site object loading.

There's limited ability to automatically accept/reject off-site objects based on user expectations, true, but that doesn't mean the whole thing's broken

HTTP/1.0 Perhaps, HTTP/1.1 Unlikely (2, Informative)

izomiac (815208) | more than 4 years ago | (#31591808)

HTTP/1.0:
GET /index.html HTTP/1.0

HTTP/1.1:
GET /index.html HTTP/1.1
Host: example.org

If the site relies on HTTP/1.1, as is the case when multiple domains are hosted from the same IP address, then it's not possible to access the site by IP alone. OTOH, any filter worth its salt would do a reverse DNS lookup on an unknown IP, which would reveal the single domain name for an HTTP 1.0 server, rendering this technique mostly useless for HTTP packet filtering.

Tricking HTTP proxy servers might work, if they allow CONNECT on port 80:

CONNECT 2130706433:80 HTTP/1.1

GET /index.html HTTP/1.1
Host: example.geek

We learned this on slashdot. (1)

British (51765) | more than 4 years ago | (#31591992)

We must have had 20 different ways to get to goatse.cx.

Re:We learned this on slashdot. (4, Funny)

bakdor (1617851) | more than 4 years ago | (#31592140)

We must have had 20 different ways to get to goatse.cx.

I didn't need 20 different ways. I just had it bookmarked for quick and easy viewing.

Not new, affects most Linux programs (1)

Jeffrey Baker (6191) | more than 4 years ago | (#31592026)

This isn't really new, and it's not just browsers. Most programs will take anything that can be interpreted by strtoul(3) as an IP address.

# ping 0xdeadbeef
PING 0xdeadbeef (222.173.190.239) 56(84) bytes of data.
From 219.146.113.214 icmp_seq=1 Time to live exceeded

How I get past it (0)

Anonymous Coward | more than 4 years ago | (#31592080)

1. Pick a web translation service from a trusted url: i.e. http://babelfish.yahoo.com/
2. Translate a web page (which is bloked) from one random language to another (i.e. greek to french)
3. Most schools wouldn't block yahoo. Translation engine skips over non comprehended words. Enjoy.

Security Products? (0)

Anonymous Coward | more than 4 years ago | (#31592204)

'security products'? A list of known malicious websites is no security. If that known malicious website can do something harmful, then any other site can do that, too.

Saw it on Slashdot 10 years ago (0)

Anonymous Coward | more than 4 years ago | (#31592216)

I used this method to defeat school filters 10 or 11 years ago after I read about it in an article on Slashdot. Is it 1999 again?

1998 called, they want their evasion techniqz back (0)

Anonymous Coward | more than 4 years ago | (#31592390)

http://www.packetstormsecurity.org/mag/keen/kv6.txt

Trivial math to evade real world filters (0)

Anonymous Coward | more than 4 years ago | (#31592414)

Trying to be a little bit useful and not slam on the OP. My company does web based educational software. When we first released product, we found that schools would filter out URLs containing strings which suggested games or fun. Also, Windows Vista clients would block outgoing URL requests which contained 2 or more substrings which happened to be the same as certain rude words.

We found that running rot13 over URLs before they were transmitted between client and server (or vice versa) circumvented these very simple minded filters.

ANCIENT (2)

Urza9814 (883915) | more than 4 years ago | (#31592570)

We used to use this back when I was in highschool to get past the crappy filtering software. This is _very_ old news. Hell I think I have a book from about a decade ago talking about this. Why is this on slashdot?

Load More Comments
Slashdot Login

Need an Account?

Forgot your password?

Submission Text Formatting Tips

We support a small subset of HTML, namely these tags:

  • b
  • i
  • p
  • br
  • a
  • ol
  • ul
  • li
  • dl
  • dt
  • dd
  • em
  • strong
  • tt
  • blockquote
  • div
  • quote
  • ecode

"ecode" can be used for code snippets, for example:

<ecode>    while(1) { do_something(); } </ecode>