eridal 313 days ago [-]
I used to use http://127.1 for laziness until I've found that I was able to use http://0 which is even lazier :)
wybiral 313 days ago [-]
Thank you. I had no idea...
jchw 313 days ago [-]
Thanks to the rapid adoption of TLS, HTTP/1.1, and CDN services like Cloudflare, it's hard to actually find IP addresses to test some of these tricks on. However, it seems like at least some of this stuff really does still work.

Here's one for Without the host header, it still misbehaves, but it at least does something.


hdhzy 313 days ago [-]
Firefox for Android displays it as after opening the page.
yorwba 313 days ago [-]
Firefox on Linux also displays it as on hover.
notamy 313 days ago [-]
Same with Chromium on Linux.
SalimoS 313 days ago [-]
Mobile safari on iOS 10 also show the same ip adress
lucb1e 312 days ago [-]
Firefox even displays the IP address in dotted notation in the status bar on hover, so it parses the URL before displaying where the link goes.

While nice, I can't help but imagine the mayhem once someone finds a URL parsing bug that leads to remote code execution. Then again, URL parsing is decades old now, the odds that it still contains a RCE is probably low.

unkown-unknowns 313 days ago [-]
Same with Firefox on iOS
zaxomi 312 days ago [-]
A quick test show that Chrome, Firefox and IE accepts dotted, long, class a, and long with auth in decimal, octal, and hex notation. Firefox also accepts long overflow.

Non of them accept Dotted overflow, Class B or Class C.

Decimal Dotted

Decimal Dotted Overflow http://448.424.256.257/

Decimal Long http://3232235521/

Decimal Long Overflow http://7527202817/

Decimal Class A http://192.11010049/

Decimal Class B http://49320.1/

Decimal Class C http://12625920.1/

Decimal Long with auth

Octal Dotted http://0300.0250.00.01/

Octal Dotted Overflow http://0700.0650.0400.0401/

Octal Long http://030052000001/

Octal Long Overflow http://070052000001/

Octal Class A http://0300.052000001/

Octal Class B http://0140250.01/

Octal Class C http://060124000.01/

Octal Long with auth

Hex Dotted http://0xc0.0xa8.0x0.0x1/

Hex Dotted Overflow http://0x1c0.0x1a8.0x100.0x101/

Hex Long http://0xc0a80001/

Hex Long Overflow http://0x1c0a80001/

Hex Class A http://0xc0.0xa80001/

Hex Class B http://0xc0a8.0x1/

Hex Class C http://0xc0a800.0x1/

Hex Long with auth

jaclaz 313 days ago [-]
>Last Updated Sunday, 13 January 2002
hdhzy 313 days ago [-]
Yes, exactly. The @ trick is being removed from browsers because what the author refers to as interesting trick has been used for phishing and other scams.
frik 313 days ago [-]
Since when is destroying web standards acceptable? There are so many internet and intranet pages from 1994+.

In the name of security the change way too many moving parts lately to push their hidden agenda.

Using HTTP in local LAN is fine. Using HTTP for non login-pages is fine. Using "basic authentification" (user:pwd@IP) is fine for certain use cases. Stop breaking things.

I am not using a Firefox anymore, they went insane lately, they don't bother about their community anymore. I am worried about Chrome too, TLS only for HTTP/2 is the wrong signal. So many times I couldn't open a HTTPS sites because the browser thinks the cert is broken - it was just a trivial page were I just want to read some text (not input anything) - just some me the page - something that wouldn't be a problem with HTTP.

If Firefox, Chrome or whoever want to destroy access to 1994-2017 websites, go to hell. Name your forked off thing TheMicrosoftNetwork (or what not) and see it tank rather quickly.

Spivak 312 days ago [-]
Keep in mind they're not breaking HTTP basic auth, they're just just removing the ability to specify credentials in the URL because its legitimate use is extremely rare but its use in phishing is common.
jwilk 313 days ago [-]
What's exactly being removed?
0x0 313 days ago [-]
You used to be able to put HTTP basic authentication into the URL in the format - modern browsers are removing support for the "username:passord@" part because people would put a legit domain in the username:password@ part to fool users. (i.e., which would actually take you to while sending a username of "" and a password of "article123456")
mschuster91 313 days ago [-]
what? O.o I use this in Keepass to store quick-login links for some that still require http basic auth (though, haven't tested these for a while). Do you have any link on the deprecation?
0x0 313 days ago [-]
jwilk 313 days ago [-]
> In Firefox, it is checked if the site actually requires authentication and if not, Firefox will warn the user with a prompt "You are about to log in to the site “” with the username “username”, but the website does not require authentication. This may be an attempt to trick you.".

Huh, that's just security theater. The phisher could set up a website that does require authentication, thereby avoiding the warning.

The sensible thing to do would be to display the warning if the username contains unescaped dots. (I.e., would provoke warnings, but would not.)

jchw 313 days ago [-]
Thinking about this, I think you're right that this is perhaps less useful than billed. If anything though, I'd rather have both warnings.
313 days ago [-]
jaimex2 313 days ago [-]
Strange, it still works for me on Chrome on a http site.
theEXTORTCIST 313 days ago [-]
I just tried this on Chrome 60.0.3112.90. Both Firefox and Safari throw phishing warnings with these URLs. Chrome takes me to no warning

Then I tried

Which stretches way past my laptops viewable URL bar... and it takes me right to badsite.null (or a valid site like If you need HTTPs you can redirect on badsite.null's web server. Very wild.

313 days ago [-]
313 days ago [-]
313 days ago [-]
dmurray 313 days ago [-]
These are interesting as curiosities, but most of them are not interesting from the point of view of deceiving users, and this was the case even when the article was written.

It's trivial to make users think they are not visiting, or just to serve evil content from instead. This means a blacklist model of web addresses will never work, and even the most naive computer user uses a whitelist instead, if they pay attention to urls at all.

The trick is the exception, and it's good that browsers are working on ways to mitigate this.

styfle 312 days ago [-]
A lot of large organizations purchase domains that are similar to theirs to avoid typo-squatting as well as the impersonation you pointed out.

The creation of new TLDs in the last few years only increases the permutations.

For example:

313 days ago [-]
theEXTORTCIST 313 days ago [-]
The data URL scheme is abusable.

Firefox and Chrome correctly redirect to localhost via javascript