Resources

People often ask me "How did you learn how to hack?" The answer: by reading. This page is a collection of the blog posts and other articles that I have accumulated over the years of my journey. Enjoy!

This article is about the multitude of ways that Curl will accept IP addresses. This article is written by the maintainer of Curl!

When we think of IP addresses, we commonly think of four sets of decimal numbers (such as 192.168.1.1). However, the URL specification allows for MANY other formats.

Staying true to the 4 octets, the numbers can be written octal (base 8) with a leading 0 or hexadecimal (base 16) with a leading 0x. For instance, here are the 192.168.0.1 representations of these respectively: 0300.0250.0.01 and 0xc0.0xa8.0x00.0x01.

However, even the 4 octet format is not required. Numbers can be written in 1,2,3 or 4 octets. For instance, 3232235521 is 192.168.0.1 as a whole decimal number. Two numbers looks like 0xc0.052000001

These can even be mixed and matched, depending on the prefix. For instance, all three bases can be used in a single IP address: 0xc0.0250.1.

Parsing IP addresses is NO trivial task! Different bases, octet sizes... if you have an application that is potentially vulnerable to SSRF, try use different bases to hit the inside.