adam's notes

URL Obfuscation Techniques

  • obfuscation is frequently used to mask a URL

URL Shorteners

URL shorteners are online tools for creating short links from long URLs.

  • common on social media
    • where character limits are a concern
  • Malicious actors can use URL shorteners to
    • disguise harmful content
    • conduct social engineering attacks
    • and collect user data
  • pose security risks:
    • phishing attacks
      • can use shorteners to disguise malicious links to trick unsuspecting users into clicking them
      • URL shorteners often bypass controls like URL filtering and blocklisting
    • data privacy
      • When users create shortened URLs, they often provide information to the shortening service:
        • the original URL
        • the date and time of creation
        • and the IP address associated with the creator of the shortened link
      • This information can be used to track user activity across the Internet
  • rely on third-party services to redirect users to the original URL
    • shortened URL may no longer work if:
      • the third-party service goes offline
      • the link is not correctly maintained
      • referred to as link rot
  • to mitigate risks:
    • be cautious when clicking on shortened URLs
    • use reputable URL shorteners
    • avoid creating shortened links for sensitive information
    • inspect shortened URLs by revealing the original site

URL Un-shortening

URL un-shortening is the process of expanding a shortened URL back to it’s original URL.

QR Codes

  • QR codes offer convenience and are often used to replace URLs
  • Most modern camera apps have built-in QR code recognition
    • allow users to scan codes to visit websites without typing or clicking
  • offer a “fun factor,” which makes them all the more enticing for users and effective for attackers

URL Dopplegangers

A doppelgänger domain is one that is missing the dot between the subdomain and domain part.

  • e.g., wwwgoogle.com instead of www.google.com
  • attacker may work to locate doppelgängers for popular websites and then register them as unique domains hosting malicious content

Character Swapping

Character swapping substitutes one or more characters in a URL for very similar looking ones.

  • Viewing the URL may not easily identify that the link is incorrect
    • depending on the font style

URL Encoding

URL encoding seeks to mask the content of a URL to avoid pattern matching or simple visual inspection detection methods and to confuse engineers, analysts, and users.

Example

To encode this URL:

https://www.comptia.org/certifications/cybersecurity-analyst/
  1. colons and slashes are replaced with their URL encoded (hexadecimal) equivalents:
  • %3A represents :
  • %2F represents /
https%3A%2F%2Fwww.comptia.org%2Fcertifications%2Fcybersecurity-analyst
  1. every character of the URL is replaced with its hexadecimal equivalent:
  • Most search engines can convert encoded URLs
https://%77%77%77%2e%63%6f%6d%70%74%69%61%2e%6f%72%67%2f%63%65%72%74%69%66%69%63%

61%74%69%6f%6e%73%2f%63%79%62%65%72%73%65%63%75%72%69%74%79%2d%61%6e%61%6c%79%73%74

3. entire URL is encoded using base64 and preceded with some qualifiers to help identify its purpose
	- Loading the string into a browser reveals what the string of characters represents

data:text/html;base64,aHR0cHM6Ly93d3cuY29tcHRpYS5vcmcvY2VydGlmaWNhdGlvbnMvY3liZXJzZ
WN1cml0eS1hbmFseXN0

URL Redirects

  • In the context of obfuscation, URL redirects often take advantage of a poorly secured website
  • Website developers often program redirect functionality within their pages to send visitors to companion sites and payment processors
  • redirect capability can be abused
    • allow an attacker to use the site to send visitors anywhere
  • redirect URL often looks like:
https://<trustedsite>.com/redirect.php?url=https://<someotherwebsite>.com.
  • The vulnerable component is a PHP element
    • could use any name (not just redirect.php)
    • may use a different language, but PHP is very common
  • appeal of this method is that the URL’s root (www.google.com) is trustworthy,
    • but the user will land on the page referenced in the redirect
      • which is likely not trustworthy
  • Combining this method with other obfuscation techniques to mask the redirection URL can make it highly effective

Graph View

Backlinks