Vulnerability Development mailing list archives

Previous By Date Next
Previous By Thread Next

"tinyurl" url masking

From: Lincoln Yeoh <lyeoh () pop jaring my>
Date: Sat, 10 Sep 2005 09:49:49 +0800
Hi,

Background:
A number of sites allow minimally controlled 3rd parties to post links to images which other 3rd parties can view, and the only filtering used is some pattern matching to ensure that a url has the "correct" extension.
However such filtering has problems if the "image" url actually redirects to a url to a target site that does some naughty stuff. 

Main:
Previously attackers were required to at least "own" the site the image url points to, which may be a bit inconvenient and may leave a greater trail.
However some url shortening or condensing services allow one to append additional data to the url so as to pass the pattern matching, and still work. This allows attackers additional freedom. 

e.g.

http://snipurl.com/hkgb
becomes:
http://www.google.com.my/search?hl=en&q=test&meta=

And
http://snipurl.com/hkgb/blahblah.jpg
becomes:
http://www.google.com.my/search?hl=en&q=test&meta=/blahblah.jpg

The following
http://tinyurl.com/aqxq8
becomes
http://mail.google.com/mail/?logout&test=

And
http://tinyurl.com/aqxq8/foo.jpg
Goes to
http://mail.google.com/mail/?logout&test=/foo.jpg
Which seems to log one out of google mail :).
Some url shortening pages send a metarefresh page instead, which helps prevent them being abused in this way, but of course it means users of such services have to wait or make an additional click. 

There might be other things which one can do. Any ideas?

By the way:
Some url shortening services use a predictable "incrementing" url. And you might be able to point some of them to each other. Loops may be mildly amusing, but aside from that this may allow someone to only add the payload url(s) AFTER the target site has done some validation by visiting the links (and finding only "normal" HTML pages grumbling about the url not being in the records or something). 

snipurl seems to reject tinyurl urls (but not vice versa).

An overview of a few url condensing services:
http://notlong.com/links/
(note that "nondeterministic" in that page means something different from nonpredictable. Also see the "path forwarding" bit). 

:)

Link.
Previous By Date Next
Previous By Thread Next

Current thread: