How To URL Mask Like A Pro

Monazir Muhammad Doha | Nov 18, 2023 min read

URL Masking

URL masking is a clever technique used to make a web link appear different than it really is. Imagine it like putting on a disguise for a hyperlink. In this trick, a special character, the “@” symbol, is used to fool web browsers into thinking the link goes somewhere else. Essentially, it’s like dressing up a link to show one thing while secretly leading to another destination. This technique plays with what you see versus what’s actually there, making it important to stay cautious and aware of potential tricks, especially when dealing with unfamiliar links on the internet.

d0ppelganger

d0ppelganger is a url masking tool that can make a fishy url look like it’s from a well known domain. The purpose of making this tool is not to promote phishing. Rather it’s about learnig how it works and spoting a phishing url right away if it’s using url masking.

Warning: Use this tool responsibly and ethically. d0ppelganger is intended for educational and awareness purposes only. I will not be responsible for any misuse or malicious activities conducted using this tool. Always exercise caution and verify URLs before clicking on them.

1. Usage/Examples

Method 01:

Tested on Debian only

If you want the fastest way possible, just execute the below command in a linux shell

wget "https://github.com/Itsmmdoha/d0ppelganger/releases/download/v1.0.1/d0ppelganger_linux_exe_v1.0.1" -q && chmod +x d0ppelganger_linux_exe_v1.0.1 && ./d0ppelganger_linux_exe_v1.0.1

Method 02: Run it from source

For any operating system running python3

  1. clone the repository
git clone https://github.com/Itsmmdoha/d0ppelganger
  1. change directory
cd d0ppelganger
  1. install dependencies
pip3 install -r requirements.txt
  1. run the main file
python3 main.py

2. How it Works

Screenshot from 2023-07-31 16-15-05

The above diagram explaines the things this tool does to a url.

URL masking is a technique used to make a link’s destination appear different from its actual target. d0ppelganger employs the character “@” to manipulate the appearance of a URL and trick the browser into ignoring the text before the character “@”.

In the past, the username:[email protected] pattern was commonly used to embed login credentials directly into the URL. Back in the day, if you typed username:[email protected] in the address bar, the browser would’ve translated it into a HTTP request like this:

GET / HTTP/1.1
Host: site.com
Authorization: Basic dXNlcm5hbWU6cGFzc3dvcmQ=

In this example, the username is “username” and the password is “password”. The Authorization header contains the Base64-encoded representation of the credentials in the format “username:password”. This method of embedding credentials directly in the URL is known as “Basic Authentication”.

However, this method was inherently insecure and posed a security risk since the credentials would be exposed in server logs and could be easily accessed by unauthorized individuals. Due to these security concerns, modern browsers have deprecated and removed support for this syntax. In modern browsers, the credentials part “username:password@” is simply ignored. The browser will instead make a regular HTTP request to the host specified in the URL without including the credentials. The request would look like this:

GET / HTTP/1.1
Host: site.com

3. This tool uses the is.gd API

To know more about the api, refer to the API Reference. By leveraging the is.gd API, d0ppelganger can shorten URLs, thereby making them look more trustworthy. However, it’s crucial to note that such behavior can be misused for malicious purposes like phishing. The intention behind d0ppelganger is to raise awareness about URL masking and help users recognize and avoid potential phishing attacks.