Featured
Following
39 minutes ago•••
Studio Ghibli films will always be some of my favorites 🥹🤣🤣
#moviestr #grownostr
4eb88310...5d6d replied 38 minutes ago
1
48 minutes ago•••
I've always been a DC girl who liked marvel. I have missed so many MCU movies. Just finished rewatching all the Deadpool films. Now, rewatching every X-Men/Wolverine/MCU movie in order. 👀🔊 https://file.nostrmedia.com/p/4eb88310d6b4ed95c6d66a395b3d3cf559b85faec8f7691dafd405a92e055d6d/2c248f8f4fecb24b150d4c3bf406d09102d88c2fbd81478eb0c6ce770d275be7.mp4
1 hour ago•••
This is fun.
2600 The Hacker Quarterly Volume Fourty-One, Number Four Winter 2024-2025
More Fun with URL Hacking by Daryl Furuyama
In the Autumn 2024 edition, Tiago Epifanio (madcap) highlighted a few techniques for obfuscating URLs in the article "Hacking the URL Schema" that sounded fun, so I gave them a try to see what I could do with them. The first technique was the use of decimal versions of IP addresses (v4) so they do not look like IP addresses anymore. For example, going to http://192.168.0.1 is the same as going to http://3232235521. madcap described the conversion to decimal by converting each segment of the IP address into binary, removing the dots between them, and converting that binary back to decimal. Alternatively, you can just sum the product of each segment multiplied by 256 raised to the ordinal of the address segment (e.g., 192.168.0.1 = 192 * 256^3 + 168 * 256^2 + 0 * 256^1 + 1 * 25=6^ 0 = 3232235521). I was on a Windows machine, so I used the command prompt with the nslookup command to get the desired IP address (e.g., nslookup 2600.com) and Excel to do my conversions.
In addition to the https restriction detailed in the aforementioned article, I was also running into issues where most sites do not allow for direct IP access, limiting what could be accessed with this technique. The only real use cases I could think of were either to set up my own server with a funny message on the index page or see if there was something that could be done with the sites that did allow direct IP access. Setting up my own server seemed like a lot of work for a practical joke, so I opted to explore what could be done with sites that did allow direct IP access. Fortunately, I found that Google does allow direct IP access, so that opened up some additional opportunities.
The other two techniques explained by madcap were that browsers will ignore anything in a URL before an @ sign (because it thinks that it is entering a username) and the use of a Unicode "division slash" character that looks like a normal slash used in URLs but isn't treated as one. I used the Character Map tool in Windows to get the "division slash" character and constructed a URL like http://dev.some-fake-company.com∕person_search∕@2398766158/search?q=John+Doe where the slashes after .com and person_search are the "division slash" characters, and the others being regular slashes. That URL will just return a Google search for "John Doe." You can then tell your friend, "Hey John, look what I found on this company's website," and watch as John is unimpressed with the dev's lazy work that just returns a Google search. Note that simply copying and pasting the URL may trigger automatic link detection, breaking the link when it gets to the "division slash," so using the "Insert Link" function may be needed when sharing a link.
Sending friends an obfuscated Google search obviously isn't too exciting. However, I then remembered that Google also has an "I'm Feeling Lucky" feature that redirects the user to the website of the first search result. I might be able to bypass the direct IP access restriction by using Google to do the redirecting. The current version of the Google website makes it a little difficult to figure out how to trigger the "I'm Feeling Lucky" functionality, but I was able to use the Wayback Machine on the Internet Archive to get an old version of the Google search page and found out that adding &btnI=I%27m+Feeling+Lucky to the end of the URL will still result in redirecting users to the first result. So, a URL like http://www.some-fake-company.com∕@2398766158/search?q=2600&btnI=I%27m+Feeling+Lucky (with the slash after .com still being the "division slash") will result in a redirect to 2600.com, assuming you have the same search result order as I do.
Yet, there are now two new issues. The first one is that there is a blatant I%27m+Feeling+Lucky in the URL, giving away the ruse. The second one is that I get a browser notice that the page is being redirected, also breaking the illusion. However, there is hope in noticing that the URL has I%27m instead of I'm. This is because certain characters need to be encoded to properly be sent through the URL, with the most common example being spaces encoded as %20.
W3 Schools has a reference table here: https://www.w3schools.com/tags/ref_urlencode.ASP , and it looks like even normal alphanumeric characters can be encoded, even though it's not common. So, if we change the "F" in "Feeling" to %46, we get the less obvious URL of http://www.some-fake-company.com∕@2398766158/search?q=2600&btnI=I%27m+*%46*eeling+Lucky, and we still get redirected to 2600.com, which solves the first issue. Just keep in mind that the more characters changed, the more obfuscated the URL becomes, but also the longer it becomes since each character is now replaced by three.
The next logical question would be if I can obfuscate characters through URL encoding, do I even need to use the decimal IP address technique anymore with all its restrictions that I'm trying to overcome? The URL https://some-fake-company.com∕@%32%36%30%30%2E%63%6F%6D (with the slash after .com still being the "division slash") does indeed send me to 2600.com, I can use https, I don't seem to have the same direct IP access restriction anymore, and I don't have to rely on a third party to redirect to the destination site. Overall, I'd say that URL encoding is a more flexible technique, although decimal IP formatting has its uses for its brevity and was the catalyst that sent me down this adventure to find a different solution. Running into unexpected challenges and discovering ways to overcome those challenges are all part of the fun. Now I have a few more tools in my arsenal to play with and a deeper understanding of how URLs work.
#IKITAO #2600 #Tech #Hacking
9 hours ago•••
GM ☀️ PV 🤙
People freaking out about DeepSeek seem pretty shallow.
21 hours ago•••
I AM HODLING ✊
gn 🌙 pv 🤙
22 hours ago•••
Corn is great for growing hogs, soybeans are best used for diesel fuel
22 hours ago•••
23 hours ago•••
Something has gotten into people. I’m finding myself muting more. I don’t want negativity and anger in my feed. There are other places to find that noise, and I’m not here for it. Besides, there are brand new pubs showing up every day, so it makes up for it.
31 hours ago•••
I don't need to win the coffee contest, but I do need to get my hands on some of @npub1vpx...jspj’s roast. ☕️
32 hours ago•••
Let’s get this guy on here. Nostriches of Maine, activate!
ee6ea13a...6e74 replied 32 hours ago
1
33 hours ago•••
33 hours ago•••
May you live in interesting timechains. ⏳⛓️
35 hours ago•••
I’ve been zooming into this picture for at least 15 minutes and I keep finding new details.
New York City and Lower Hudson River Valley, New York, U.S.A. View from Space Shuttle Columbia, mission STS-58, October 1993
ee6ea13a...6e74 replied 35 hours ago
3
37 hours ago•••
They should just change their name to Conbase at this point.
39 hours ago•••
Hear me out: Flying drone vacuums that actually get the dust from places Roombas can’t go.
“Floombas.”
47 hours ago•••
My lunch was hamburger and onions. I know, not keto, but I had to feed 6 people with only one pound of hamburger thawed out.
* Smash 1lb hamburger into bottom of hot cast iron chicken fryer, put on high gas flame with lid on.
* Sear and cook on one side, then flip and salt cooked side liberally. Tip lid and reduce to medium heat. Cook until moisture pools around hamburger.
* Peel two softball sized onions, halve both and slice horizontally into 1/4" half-rings
* Remove hamburger to plate and drop onions in pot where hamburger was cooked. Cook on high covered until soft, stirring four times per minute.
* Reduce heat to medium until onions are lightly caramelized and translucent. Transfer to bowl.
* slice 1/2lb of cheddar or other cheese of choice into 1/4" slices, layer all cheese over hot onions
* place hamburger back into pot seared-side-up at medium to sear other side for a couple minutes, then place hamburger newly-hot-side down on top of cheese which is melting over onions.
No additional seasoning required: hamburger, onions, cheese and salt are only ingredients. It's kind if like French onion soup without the broth.
The kids went crazy, even the ones that say they don't like onions.
LOAD OLDER THREADS