Home Blog About

Hacking the URL schema

2025-11-20 by madcap

A while ago I submitted an article to the 2600 magazine. It was published in the Autumn issue of 2024. For those who don't know the 2600 magazine (2600 - The Hacker Quarterly), it's a publication about hacking and technology that has been around for 41 years. Check it out:

https://2600.com

Since it's been a year since my article has been published, I thought it was time to release online. So, here it is (with some minor corrections and updates). I hope you enjoy it.

Let's hack

Let's talk a little about the ancient art of generating URL's that look legit and similar to some address that you may know. There are several ways to do it.

The most common technique is called typosquatting and relies on the typos that we make when typing an address on the address bar. Like goggle.com or paypall.com. Although we get to those malicious sites by mistyping a website address, many people would also click on a link with that URL not really noticing the typo.

There are also homograph attacks which rely on the fact that different characters can look very similar, like the capital I and the lower case L. Also there are different alphabets (latin, greek, cyrillic) that have very similar symbols.

But in this article I'm going to focus on a different kind of attack called "URL Schema Obfuscation". It's so good that it allows you to create a fake URL that looks pretty normal and you don't even have to register a fake domain.

Let's say that you receive a legitimate looking link to a supposedly enraging tweet by some billionaire that you love to hate:

http://twitter.com∕elonmusk∕status∕@2672109077

You click on it. But instead, you're taken somewhere else. In this case, you would be taken to a homepage with a video you may have see before.

How did this happen? Let's split the above address in parts and start by the end.

The 2672109077 part, which looks like the id of a tweet, is indeed a disguised IP address in decimal format. This is a valid format, although most people don't know. An IP address is, in fact, a 32 bit number. It's easier to represent it in the normal dotted notation, separating it in 4 parts, each part having 8 bits, like we usually do. But we can as well use it in decimal format.

Let's say that we want our victims to be redirected to a prank website, which in this case has the IP address 159.69.38.21. First, start by converting each part of that address into binary format:

10011111.01000101.00100110.00010101

Remove the dots, obtaining a 32 bit value, and then convert it to a decimal number:

binary 10011111010001010010011000010101 = decimal 2672109077

Now, if you paste that decimal number into your browser's address bar, preceding it with http://, you will be taken to the prank website. Try it:

http://2672109077

But what about the rest of the URL (twitter.com/elonmusk/status/@)? Well, this part also has some tricks in it.

First there's the at sign (@). That character, when placed before a domain name, means that you want to authenticate to that site using some username. Let's say you wanted to sign as user jaime at the site joana-blog.net. You would type http://jaime@joana-blog.net. This is not a very common means of authentication (nor a secure one), but it's a valid one. It was common in the old days to authenticate to FTP servers.

So, at the example given above, you would be authenticating at http://2672109077 with the username "twitter.com/elonmusk/status/".

Kind of. If you type that manually on your address bar, the browser it will see those slashes and invalidate all that I've been saying. But instead of using regular forward slashes we can use a unicode character that looks like a slash but is instead interpreted as a regular character. In my example I'm using the unicode character U+2215 (division slash). You can see more details about it here:

https://codepoints.net/U+2215

So, after these small manipulations, you end up with a normal looking URL that will trick anyone because it looks like a valid address. That teaches us that we should be very careful when clicking random links even when they look legit (don't click links on suspicious emails, remember?)

Since this method only works when using http (instead of https), if you see a link that starts with http:// you should probably avoid it. If in doubt, try typing the address manually into your browser.

Another thing you should do is use Firefox as your main browser. Firefox shows a warning saying that you're trying to login to a website that doesn't request authentication. Something like this:

You are about to log in to the site "159.69.38.21" with the username "twitter.com".

(I wonder how many people will still click "OK" after this message, anyway)

Unfortunately Google Chrome doesn't show that warning. And you know what? 7 out of 10 people use Google Chrome or some variant of it, which makes an attack like this pretty efficient.

This is not a complicated method, but I created a python script to make the creation of these URL's easier:

#!/bin/python3

import sys

URL_TEMPLATE = "http://{}@{}"

if len(sys.argv) != 3:
    print("Usage: ./obfuscate_url.py <fake_address> <real_ip_address>\n" \
    "Example: ./url_schema_obfuscation.py twitter.com/elonmusk 194.150.169.131")
    exit(-1)

fake_addr = sys.argv[1]
real_ip_addr = sys.argv[2]

username_part = (
    fake_addr.replace("http://", "")
    .replace("https://", "")
    .replace("/", "\u2215")
)

ip_parts = real_ip_addr.split(".")
binary_string = ""

for part in ip_parts:
    binary_string += "{0:08b}".format(int(part))

print(URL_TEMPLATE.format(username_part, int(binary_string, 2)))

Be safe and beware of any links with an at sign!

Back to homepage