Operation n

I came across TinyURL again with some recent comment spam; it was interesting that the spammer was using a single TinyURL as his/her webpage. This made me curious as to what was behind door number 1.

I initially planning to work out TinyURL’s encoding method and write a program to decode them (for fun); but soon lost interest when I saw that TinyURL already provide a “very cool” preview link; however, my initial TinyURL.com query script is here - for interested parties. I may still do some research in this area as a persistent XSS attack in the preview feature may leave the curious minded “owned”.

It isn’t new that TinyURL type sites can be used in phishing attacks; although I haven’t seen any of these myself. More interestingly was the article pdp released a short time ago: TinyURL as a storage house for mobile code. I thought this was an absolutely awesome idea.

In theory we can backdoor TinyURL with a plethora of web technologies using the ‘Data:’ URL scheme; however, in reality this doesn’t seem to work - atleast my tests proved unfruitful.

1. My test code for TinyURL:
<script>
alert(’test’);
</script>

2. We base64 encode it:
data:text/html;base64,PHNjcmlwdD4NCmFsZXJ0KCd0ZXN0Jyk7DQo8L3NjcmlwdD4=

3. We let TinyURL do it’s magin. We are left with:
http://tinyurl.com/ymcj59

Thats where the rabbit hole ended for me. This seems to be a Firefox restriction/bug rather than a TinyURL thing. To test this, I setup my own redirect; I got the exact same response as TinyURL. Link here if you want to try this yourself.

When in doubt keep it simple; simply creating a link to a malicious page will do. A 302 redirect attack could be used on the attacker controlled system in the event that the user is curious and previews our links.

To summarise, I agree with pdp. I can definately see potential for badness here. From a phishing and worm perspective. Since we can’t use ‘Data:’ to store mobile code: we can use TinyURL’s very own “preview” feature instead.

Generally speaking, organisations would be wise to add TinyURL type services to their spam blacklist. These services are useful but deceiving in my opinion. Would you walk down a dark alley?

#!/bin/sh
# tinyurl.sh
# Creates a URL at http://tinyurl.com and gets us the encoding.
# 21 Dec 06

# We can use a one line perl commands to play further:
# for ((i=1;i<=50;i++)) ; do echo -n "$i " ;
# ./tinyurl.sh `perl -e 'print "b"x'$i` ; sleep 1 ; done

if [ ! $BASH_ARGC ]; then
        echo “usage: $0 tinyarg”
        exit
fi

URL=$1
REQ=”GET /create.php?url=$URL HTTP/1.1\\r\\n”
DATA=”Host: tinyurl.com\\r\\n\\r\\nConnection: Close\\r\\n\\r\\n”

#echo “Sending: $REQ”
echo -en $REQ$DATA | nc tinyurl.com 80 | grep ‘hidden name=tinyurl’ \\
        | cut -d \\/ -f 4 | cut -d \” -f 1