Brute forcing URL shorteners
I experimented in brute-forcing URL shortening services.
Here’s the repo (Python).
Here’s a .tsv of all the two-character bit.ly links and the URLs they forward to.
It works like this:
- Generate the valid URLs
- Send an HTTP request with the request library
There have been a decent number of stories lately about the security risks posed by URL shorteners because they can be trivially brute forced. A lot of shortened links are probably meant to be public, such as URLs shortened for sharing on social media, but I guess some services, like OneDrive, use short URLs for documents.
disabling rediects
Since I only wanted to find the full URLs that were being redirected to, and not actually download their content, I set the requets allow_redirects option to False.
r = requests.get(url, allow_redirects=False)