Cатсн²² (in)sесuяitу / ChrisJohnRiley

Because we're damned if we do, and we're damned if we don't!

Home

Tag Archives: url shorteners

Shmoocon 2011: URL Enlargement: Is it for you?

Comments Off Posted by ChrisJohnRiley on January 30, 2011

URL Enlargement: Is it for You?

Daniel Crowley

What’s behind short URLs?

Are short URLs really being used for bad things?
Do URLs contain sensitive information
- Can you get short URLs removed
What are the possible solutions

Underlying issues

Easily guessable URLs
Storage of sensitive data in URLs
Authentication based on knowledge of the URL

URL Shorteners: The why, where and how!

Many exist (see urlshortener.org for a full list)

Very easy to make (lots of plugins available)

Specialized shorteners

go.usa.gov
- For .gov and .mil restricted
  - Must have valid .gov/mil email address to setup
  - Restricted to .gov/mil sites
bieber.ly
- Puts Biebers face on every page shortener
vb.ly
- Sex shortener… it’s for PORN!
doz.me
- Embeds landing site in an iFrame and launches a DoS attack against another site

Why shorten?

Users

Sharing links on the internet
Share link orally

Attackers

Obfuscation
Filter bypass (hiding direct IP links)
Social Engineering
Parasitic data storage

URL Shortening algorithms

Hash-based

Hash each URL to produce shortened version
Only 1 shortened domain per URL
Risk of collisions

Incremental

Generate shortened URLs sequentially
One URL can be stored multiple times
No collisions

Interesting attack possibilities

Hash-based

URL poisoning through collisions
- Figure out hashing algorithm
- Shorten URL containing lots of junk padding
- Depending on the shortener, the new URL may replace existing one shortened

Incremental

Date tracking
- Create URL every 24 hours
- Determine when target URLs were shortened
- Extract URLs for time period

Character Set

Base62
Very easy to guess

Security Shortcomings

Cannot predict Referer header
Cannot predict the accessing IP address
URLs are predictable
- Small keyspace
- Some services let you choose your own URL

The Attack: URL Harvesting

Determine character set and URI length for targeted shortener

Determine case sensitivity by modifying an existing URL

All tested shorteners tested use location header redirects (HEAD requests)

Create URLs to harvest

Profit

Examples:

Photobucket –> Security based on knowing the link

Google Docs –> Knowing the shared link gives access to the shared data

Protocol Handlers

URL shorteners don’t just shorten website addresses

mailto:
ftp:
file:
Ed2k:
Magnet:
Javascript:
Webcal:
Irc:
iOS app IPC
- Many iPhone apps define there own handlers

Parasitic Storage

Base64 encode your file
Split it into chunks
Optionally, encrypt each chunk
“shorten” each chunk as a URL
Retrieve it later in chunk form
Decrypt, combine

Each chunk can be 256Kb or larger

Tools like TinyDisk offer automated way to achieve this.

In-URL Authentication

http://user:pass@example.com
Session Identifiers in the URL
- http://www.example.com/?session=xxxxxxxx
Auth in GET variables
- http://www.example.com/?u=user&p=pass
Authentication through knowledge of URL
- Scribd
- Facebook
- Imageshack
- Photobucket
- Google Docs

Lonely people sometimes talk to URL shorteners

People type the strangest things into the “short this” box!

Vulnerabilities

Everyone seems to like putting XSS attacks in tinyurls

CSRF seems pretty popular too

Qaboss.com was recently hacked
Somewhere in Tinyurl theres still an XSS/CSRF attack…

Find 0-Day vulns

Search through your gathered list of URLs for SQL statements, File Includes, …

Spam

The biggest use of shorteners appears to be spam
Multiple TinyUrls pointing to the same spam site
- Helps disguise things
- Original TinyUrl address appears in the referrer header

Multiple Shortenings

Shortening a TinyUrl with TinyUrl?

Clearly not the length of the URL that people are worried about here

Attempts to use multiple redirections to frustrate analysis

Interesting target for analysis?

So what can we do?

Can I have my URL taken down?

Not easily
- Unless it’s malicious, defamatory, or breaks the ToS
URL shorteners want to keep links intact

How can shorteners be more secure?

URL Harvesting
- Password protected URLs (Trick.ly!)
- Throttling
- Temporary lockout on brute-force attempts
  - Especially for non-existant URLs
Parasitic Storage
- No good answer
Multiple Shortenings
- Disallow known shortened links
Attacks
- Filter out common XSS artifacts
- Compare URLs to list of known badware (some already do)

How can we protect ourselves?

Stop shortening sensitive URLs
Stop putting sensitive data into URLs
Check shortened URLs before accessing them (longurlplease)

Fun Facts

Your chance of finding X behind a short URL

Rick Astley: 1 in 12342
Goatse: 1 in 10872
An EXE file: 1 in 454
Audio file: 1 in 290
Images: 1 in 47

Most shortened domains

Twitter.com
Runner-up: YouTube.com

Links:

Shmoocon Schedule –> HERE
Talk synopsis –> HERE
Dan Crowley Twitter –> @dan_crowley

Conference, Security Security, Shmoocon, url shorteners

RSS feed

The contents of this personal blog are solely my own opinions and comments, as such they do not reflect the opinions of my employer(s) past, present or future. No legal liability is accepted for anything you do, think, or consider fact as the basis of articles and links posted on this blog.

"Three to one...two...one...probability factor of one to one...we have normality, I repeat we have normality. Anything you still can’t cope with is therefore your own problem."

Note: A large portion of content I post on my blog comes from "live blogging" of security conferences. These posts are in notes form and are written live during a talk. As such errors and emissions are expected. I'm only human after all!