Nmap Security Scanner
*Intro
*Ref Guide
*Install Guide
*Download
*Changelog
*Book
*Docs
Security Lists
*Nmap Hackers
*Nmap Dev
*Bugtraq
*Full Disclosure
*Pen Test
*Basics
*More
Security Tools
*Pass crackers
*Sniffers
*Vuln Scanners
*Web scanners
*Wireless
*Exploitation
*Packet crafters
*More
Site News
Site Search:
Exploit World
Advertising
About/Contact
Credits
Sponsors:
edgeos



Vulnerability Development: "tinyurl" url masking

"tinyurl" url masking

From: Lincoln Yeoh <lyeoh_at_pop.jaring.my>
Date: Sat, 10 Sep 2005 09:49:49 +0800

Hi,

Background:
A number of sites allow minimally controlled 3rd parties to post links to
images which other 3rd parties can view, and the only filtering used is
some pattern matching to ensure that a url has the "correct" extension.

However such filtering has problems if the "image" url actually redirects
to a url to a target site that does some naughty stuff.

Main:
Previously attackers were required to at least "own" the site the image url
points to, which may be a bit inconvenient and may leave a greater trail.

However some url shortening or condensing services allow one to append
additional data to the url so as to pass the pattern matching, and still
work. This allows attackers additional freedom.

e.g.

http://snipurl.com/hkgb
becomes:
http://www.google.com.my/search?hl=en&q=test&meta=

And
http://snipurl.com/hkgb/blahblah.jpg
becomes:
http://www.google.com.my/search?hl=en&q=test&meta=/blahblah.jpg

The following
http://tinyurl.com/aqxq8
becomes
http://mail.google.com/mail/?logout&test=

And
http://tinyurl.com/aqxq8/foo.jpg
Goes to
http://mail.google.com/mail/?logout&test=/foo.jpg
Which seems to log one out of google mail :).

Some url shortening pages send a metarefresh page instead, which helps
prevent them being abused in this way, but of course it means users of such
services have to wait or make an additional click.

There might be other things which one can do. Any ideas?

By the way:
Some url shortening services use a predictable "incrementing" url. And you
might be able to point some of them to each other. Loops may be mildly
amusing, but aside from that this may allow someone to only add the payload
url(s) AFTER the target site has done some validation by visiting the links
(and finding only "normal" HTML pages grumbling about the url not being in
the records or something).

snipurl seems to reject tinyurl urls (but not vice versa).

An overview of a few url condensing services:
http://notlong.com/links/

(note that "nondeterministic" in that page means something different from
nonpredictable. Also see the "path forwarding" bit).

:)

Link.
Received on Sep 12 2005

[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]
edgeos