We as Humans are bad at URLs , the obscure features of an URL are too complex for the common man and the Bad guys are abusing this lack of knowledge to their advantage , just to satisfy their evil desires.
On January 26 , 2020 I released a simple python script called URL OBFUSCATOR in Github to spread awareness about URL obfuscation , it is a technique used to hide and conceal the original Web address to imitate original URL of a real website.
Here is how my Python Tool works:-
It just takes a URL of a website which has to be hidden as input and converts it into a form that the original website is almost unrecognizable!
Imagine if I controlled an evil site , lets consider it as http://example.com and I want to trick people into giving up passwords , I could just convert it into https://facebook.com+login=secure+settings=private@example.com and email people . Most of us would just look at URL , see it has https in it and has facebook.com in it and end up believing it is original Facebook login page.
To make situations worse Most websites do not consider Open Redirect vulnerabilities seriously and I can easily add my evil site example.com just behind the affected website and it would use the legitimate users trust of Original website to my advantage and redirect it to my evil site ;)
It works like this let the affected site be http[:]//evil.com and I control http://example.com , I would simply add http://example.com behind http[:]/evil.com like http[:]//evil.com/q?=http://example.com . The user would think he will access evil.com but will be redirected to example.com
I have manually tried to find open redirects in search engines particularly deep web search engines , some open redirects like those of Duckduckgo Search engine are available in open web , most of the open redirects which I found , I reported to respective organizations whenever possible.
In good faith , I have decided to release my python tool in public as an Open source program for educational and research purpose at https://github.com/Anish-M-code/URL-obfuscator . Please don’t use the tool for spamming anyone or to target anybody. Hope this article would spread awareness about dangers of Malicious sites which use similar techniques and help stop cyberattacks .
Thanks for reading :)
