jake kara ‣ Brute forcing URL shorteners ░

  • Projects
  • Blog

October 9, 2016

Brute forcing URL shorteners

I experimented in brute-forcing URL shortening services.

Here’s the repo (Python).

Here’s a .tsv of all the two-character bit.ly links and the URLs they forward
to.

It works like this:

 1. Generate the valid URLs
 2. Send an HTTP request with the request library

There have been a decent number of stories lately about the security risks
posed by URL shorteners because they can be trivially brute forced. A lot of
shortened links are probably meant to be public, such as URLs shortened for
sharing on social media, but I guess some services, like OneDrive, use short
URLs for documents.

disabling rediects

Since I only wanted to find the full URLs that were being redirected to, and
not actually download their content, I set the requets allow_redirects option
to False.

r = requests.get(url, allow_redirects=False)