Obscuring IP addresses & URLs

There are lots of ways to obscure IP addresses, which can be useful in getting web requests to bypass filters with issues such as SSRF.
These obscuring methods come from the fact that IP addresses are numbers, which can be interpreted in multiple ways.

@ Authentication

It is possible to put an @ symbol before a domain or IP in a URL and pretty much everything (except a forward slash!) between http:// and @ is irrelevant to the request made to a webserver:

https://anythingatall!"£$£$^%*[email protected]

Is just https://google.com. There is a popup in browsers asking if going to that site is intentional, potentially to avoid phishing.

Octal

Expressing an IP in base-8. This needs to be preceded by at least one zero, but as many zeros as desired can be added. For example:

127.0.0.1 = 0177.0000.0000.0001
206.191.158.55 = 0316.0277.0236.067 = 0000000000000316.0277.000236.00000000000067

Hexadecimal

Using 0x** can allow for hex numbers to be used in IP addresses, which can use dots or not use dots, like the following:

127.0.0.1 = 0x7f000001
127.0.0.1 = 0x7f.0x00.0x00.0x01
0x1337beef = 19.55.190.239
0xCE.0xBF.0x9E.0x37 = 206.191.158.55

URL Encoding

This also works on URLs. It is possible to URL encode the hostname or IP address, as follows:

https://303sec.com = https://%33%30%33%73%65%63%2E%63%6F%6D

Decimal

An IP address can be converted to its decimal equivalent, such as:

127.0.0.1 = 2130706433
10.0.0.1 = 167772161

Combinations

These techniques can be used together to create frankenstein IPs. The following IP address is just 127.0.0.1:

0x7f.000000000000.0.%31

References: