This extension will encode an IP address into a bunch of less known encoding techniques.
This technique is focused on testing vulnerabilities such as SSRF [Server-Side Request Forgery], Open Redirect or RFI [Remote File Inclusion].
If you have Burp Pro it is possible to install directly on BApp:
Don't forget to rate the extension with ⭐⭐⭐⭐⭐ stars ;)
Go to the Extensions -> Installed -> Add -> burp-encode-ip.py
In order to use Unicode characters please follow the steps in the video:
change_burp_font.webm
Demo.webm
Unicode Encoding (Url Encoded) -> Will convert an IP address First to Unicode format and then to URL Encode.
Unicode Encoding (Copy to Clipboard) -> Wil convert the IP address to its Unicode version. Could you paste it on the same action? I did not find any way on Burp Suite to paste Unicode from the script, therefore I added a popup window that will let the user copy the characters on the clipboard and then paste it directly to Burp Suite.
IPv4 on IPv6 Unicode Encoding (URL Encoded) -> Will convert an IP address to the following format (URL Encoded): [::ⓕⓕⓕⓕ:unicoded-ip-address-here]:80. This can be useful to bypass some filters / WAF rules. Twitter PoC
IPv4 on IPv6 Unicode Encoding (Copy to Clipboard) -> As well as Unicode Encoding (Copy to Clipboard) i did not find a way to paste Unicode special characters on Burp Suite (Repeater and Proxy) so when clicking this option the user will see a popup window to copy and paste the generated payload.
Class B Encoding -> Will convert the IP address in two parts: the first two octets are preserved as is and the last two are combined into a single value.
Class A Encoding -> Will preserve the first octet as is and will combine the remaining three octets into a single value.
Hex Encoding -> Will convert the octets of the IP address to hexadecimal values.
Hex w/o dots -> Will convert the IP address to a single hexadecimal value without dots.
Hex Encoding v1 -> Will convert the first octet to hex and combine the remaining three octets into a single hexadecimal value.
Hex Encoding v2 -> Will convert the first two octets to individual hexadecimal values, and the last two octets are combined into a single hexadecimal value.
Octal Encoding -> Will convert the octets of the IP address to octal values.
Octal with 0s Encoding -> Will convert each octet into a zero-padded octal value.
Mixed Encoding -> Will treat the entire IP address as a single integer value. Each octet of the IP address is interpreted as a byte, and these bytes are combined to form a single integer.
Collaborator in IPv6 -> Will use a collaborator URL (automatically obtained from Burp API) and will convert it to an IPv6 valid domain.
DNS Rebinding -> Will generate a domain configured with the DNS Rebinding technique (thanks to https://twitter.com/taviso). In any case, there's the possibility of adding a custom domain (Note that in order for the custom domain to work, this https://github.com/taviso/rbndr must be configured first).
All -> Will generate a popup window that will contain the IP address encoded in all configured conversions currently existing on the extension.
Good luck and good hunting! If you really love the tool (or any others), or they helped you find an awesome bounty, consider BUYING ME A COFFEE! ☕ (I could use the caffeine!)
⚪ e1abrador
- Implement random number of octets encoding, in example: 0251.254.169.254 = 169.254.169.254.
25/08/2023 -> Update integrating DNS Rebinding technique.
This Burp Suite extension should be used for authorized penetration testing and/or educational purposes only. Any misuse of this software will not be the responsibility of the author or of any other collaborator. Use it at your own networks and/or with the network owner's permission.