Cатсн²² (in)sесuяitу / ChrisJohnRiley

Because we're damned if we do, and we're damned if we don't!

Shmoocon 2011: URL Enlargement: Is it for you?

Leave a comment Posted by on January 30, 2011

URL Enlargement: Is it for You?

Daniel Crowley

What’s behind short URLs?

  • Are short URLs really being used for bad things?
  • Do URLs contain sensitive information
    • Can you get short URLs removed
  • What are the possible solutions

Underlying issues

  • Easily guessable URLs
  • Storage of sensitive data in URLs
  • Authentication based on knowledge of the URL

URL Shorteners: The why, where and how!

Many exist (see urlshortener.org for a full list)

Very easy to make (lots of plugins available)

 

Specialized shorteners

  • go.usa.gov
    • For .gov and .mil restricted
      • Must have valid .gov/mil email address to setup
      • Restricted to .gov/mil sites
  • bieber.ly
    • Puts Biebers face on every page shortener
  • vb.ly
    • Sex shortener… it’s for PORN!
  • doz.me
    • Embeds landing site in an iFrame and launches a DoS attack against another site

Why shorten?

Users

  • Sharing links on the internet
  • Share link orally

Attackers

  • Obfuscation
  • Filter bypass (hiding direct IP links)
  • Social Engineering
  • Parasitic data storage

URL Shortening algorithms

Hash-based

  • Hash each URL to produce shortened version
  • Only 1 shortened domain per URL
  • Risk of collisions

Incremental

  • Generate shortened URLs sequentially
  • One URL can be stored multiple times
  • No collisions

Interesting attack possibilities

Hash-based

  • URL poisoning through collisions
    • Figure out hashing algorithm
    • Shorten URL containing lots of junk padding
    • Depending on the shortener, the new URL may replace existing one shortened

Incremental

  • Date tracking
    • Create URL every 24 hours
    • Determine when target URLs were shortened
    • Extract URLs for time period

Character Set

  • Base62
  • Very easy to guess

Security Shortcomings

  • Cannot predict Referer header
  • Cannot predict the accessing IP address
  • URLs are predictable
    • Small keyspace
    • Some services let you choose your own URL

The Attack: URL Harvesting

Determine character set and URI length for targeted shortener

Determine case sensitivity by modifying an existing URL

All tested shorteners tested use location header redirects (HEAD requests)

Create URLs to harvest

Profit

Examples:

Photobucket –> Security based on knowing the link

Google Docs –> Knowing the shared link gives access to the shared data

Protocol Handlers

URL shorteners don’t just shorten website addresses

  • mailto:
  • ftp:
  • file:
  • Ed2k:
  • Magnet:
  • Javascript:
  • Webcal:
  • Irc:
  • iOS app IPC
    • Many iPhone apps define there own handlers

Parasitic Storage

  • Base64 encode your file
  • Split it into chunks
  • Optionally, encrypt each chunk
  • “shorten” each chunk as a URL
  • Retrieve it later in chunk form
  • Decrypt, combine

Each chunk can be 256Kb or larger

Tools like TinyDisk offer automated way to achieve this.

In-URL Authentication

  • http://user:pass@example.com
  • Session Identifiers in the URL
  • Auth in GET variables
  • Authentication through knowledge of URL
    • Scribd
    • Facebook
    • Imageshack
    • Photobucket
    • Google Docs

Lonely people sometimes talk to URL shorteners

People type the strangest things into the “short this” box!

Vulnerabilities

Everyone seems to like putting XSS attacks in tinyurls

CSRF seems pretty popular too

  • Qaboss.com was recently hacked
  • Somewhere in Tinyurl theres still an XSS/CSRF attack…

Find 0-Day vulns

  • Search through your gathered list of URLs for SQL statements, File Includes, …

Spam

  • The biggest use of shorteners appears to be spam
  • Multiple TinyUrls pointing to the same spam site
    • Helps disguise things
    • Original TinyUrl address appears in the referrer header

Multiple Shortenings

Shortening a TinyUrl with TinyUrl?

Clearly not the length of the URL that people are worried about here

Attempts to use multiple redirections to frustrate analysis

Interesting target for analysis?

So what can we do?

Can I have my URL taken down?

  • Not easily
    • Unless it’s malicious, defamatory, or breaks the ToS
  • URL shorteners want to keep links intact

How can shorteners be more secure?

  • URL Harvesting
    • Password protected URLs (Trick.ly!)
    • Throttling
    • Temporary lockout on brute-force attempts
      • Especially for non-existant URLs
  • Parasitic Storage
    • No good answer
  • Multiple Shortenings
    • Disallow known shortened links
  • Attacks
    • Filter out common XSS artifacts
    • Compare URLs to list of known badware (some already do)

How can we protect ourselves?

  • Stop shortening sensitive URLs
  • Stop putting sensitive data into URLs
  • Check shortened URLs before accessing them (longurlplease)

Fun Facts

Your chance of finding X behind a short URL

  • Rick Astley: 1 in 12342
  • Goatse: 1 in 10872
  • An EXE file: 1 in 454
  • Audio file: 1 in 290
  • Images: 1 in 47

Most shortened domains

  • Twitter.com
  • Runner-up: YouTube.com

Links:

Conference, Security , ,

Comments are closed.