Various Methods for Obscuring URLs

by Ed Skoudis, Internet Storm Center

Note that this list is _not_ comprehensive, but a handy reference for some of the tricks bad guys use to fool users.

Each method looks like it goes to www.sans.org, but really points to www.giac.org. Note that not all methods work for all browsers. Modern versions of IE do not like the %01, %00, @, and related tricks.

Regular: www.sans.org

Subversion (Say www.sans.org, link to www.giac.org): www.sans.org www.sans.org

%01: www.sans.org

@: www.sans.org

%01%00@: www.sans.org

IP ADDR: 216.239.41.99: www.sans.org

Decimal IP addr: 3639552355: www.sans.org

Hex IP addr: 0xd8ef2963: www.sans.org

Hex IP addr with dots: 0x40.0x70.0xe5.0x83: www.sans.org

URL Encoding as ASCII in Hex: http://%77%77%77%2E%67%69%61%63%2E%6F%72%67: www.sans.org

URL Encoding as Unicode: www.google.com www.sans.org

URL Encoding as Unicode with @: www.microsoft.com@www.google.com www.sans.org

URL Shortener at http://csua.org/u/: www.sans.org

URL Shortener at http://www.rapp.org/url/: www.sans.org

Mixed ASCII and Unicode: www.sans.org

Octal: 0330.0357.0051.0143: www.sans.org

Octal Long form: 000330.000357.000051.000143: www.sans.org