URL Obscuration, Obfuscation and General Trickery
(Page 3 of 4)
Bogus Authentication Information
HTTP URLs theoretically support the inclusion of authentication information, by including <user>:<password>@ before the host in the URL. Yet the vast majority of Web sites are open and neither require nor use it. If you specify an authentication string and it is not needed, it is ignored.
This is one of the most popular techniques at present. One way it is used is by including authentication information that looks like a benign host, to make the user think the URL is for that host. For example, if I wanted to trick you into visiting The PC Guide, I might use this URL to make it look like clicking it would go to CNN:
This is still too obvious, however, so this method is often combined with some of the techniques below.
The use of the percent sign to encode special characters such as spaces and punctuation can also be abused to obscure the name of a domain. For example, the following is another way of expressing the DNS name for The PC Guide:
Try it. J
Okay, this is where things get really bizarre. Most of the time, we express an IP address as a dotted decimal number. Remember, however, that to computers, the IP address is just a 32-bit binary number. Most browsers support a rather shocking number of methods for expressing these numbers. This is unfortunate, because this flexibility is really not needed and almost never used for legitimate purposes. It can lead to some really bizarre URLs that are unrecognizable, or that look like regular IP addresses but are not.
Here are some examples, all of which are the same as the IP address form of The PC Guide (<http://220.127.116.11>):
And, in hexadecimal:
Home - Table Of Contents - Contact Us
The TCP/IP Guide (http://www.TCPIPGuide.com)
Version 3.0 - Version Date: September 20, 2005
© Copyright 2001-2005 Charles M. Kozierok. All Rights Reserved.
Not responsible for any loss resulting from the use of this site.