Obscuring IP addresses & URLs

There are lots of ways to obscure IP addresses, which can be useful in getting web requests to bypass filters with issues such as SSRF.
These obscuring methods come from the fact that IP addresses are numbers, which can be interpreted in multiple ways.

@ Authentication

It is possible to put an @ symbol before a domain or IP in a URL and pretty much everything (except a forward slash!) between http:// and @ is irrelevant to the request made to a webserver:

https://anythingatall!"£$£$^%*[email protected]

Is just https://google.com. There is a popup in browsers asking if going to that site is intentional, potentially to avoid phishing.


Expressing an IP in base-8. This needs to be preceded by at least one zero, but as many zeros as desired can be added. For example: = 0177.0000.0000.0001 = 0316.0277.0236.067 = 0000000000000316.0277.000236.00000000000067


Using 0x** can allow for hex numbers to be used in IP addresses, which can use dots or not use dots, like the following: = 0x7f000001 = 0x7f.0x00.0x00.0x01
0x1337beef =
0xCE.0xBF.0x9E.0x37 =

URL Encoding

This also works on URLs. It is possible to URL encode the hostname or IP address, as follows:

https://303sec.com = https://%33%30%33%73%65%63%2E%63%6F%6D


An IP address can be converted to its decimal equivalent, such as: = 2130706433 = 167772161


These techniques can be used together to create frankenstein IPs. The following IP address is just