tags:

views:

277

answers:

5
+1  Q: 

url shortening service

I want to write a url shorten service. I trying to think of scenarios that would be dangerous. one I thought of was if a submitted url is from my own website, it would create an inifinite redirection loop.

can you guys think of any other situations? (security holes, bugs...)

+2  A: 

Instead of trying to think of the "Dangerous" scenarios, try and think of how you can write it without there being any risk to yourself regardless of any security holes / bugs.

Might not solve all of the problems you end up coming across but is a much better way of avoiding problems.

Robin Day  2009-03-06 18:04:03
Most browsers will stop redirecting after they feel it's happened too many times. You can always check for the server name/IP when doing the URLs.
Nerdling  2009-03-06 18:11:00
+1  A: 

Write it to avoid behavior that would be caused by security holes. In the case of your example, if you get more than x number of requests from the same IP in X time period.

Thinking along these lines will eliminate more threats than trying to block them up front.

AFHood  2009-03-06 18:07:19
A: 

Many of the dangers in a service like this are not as dangerous to you as to the users of your service. If you do a search for TinyURL and security you'll find a lot of things like this:

http://www.readwriteweb.com/archives/tinyurl_being_used_to_bypass_safe_browsing_filters.php

I would do a lot of research on TinyURL and Bit.ly to see how they've addressed these issues.

As far as your own application goes, all of the standard best-practices apply. Validate input, insert safely into your database, etc.

Boden  2009-03-06 18:09:06
A: 

You could always check to see if it comes from your service.

And if you are worried about it being a TinyURL to your tinier URL, you can always follow the link and if it ever ends up back at your site, kill it.

Jeremy  2009-03-06 18:09:07
+2  A: 

You probably already know of it, but I feel obliged to point out TinyURL which does exactly what you're trying to do.
That said, there really aren't many technical problems that can arise, aside from the obvious infinite redirection one you describe. The bigger problems will be political -- people hiding spam, porn or malicious sites behind your urls, people creating 'amusing' urls pointing to somewhere they think is funny, and so on.
Have a look at the Wikipedia entry for TinyURL to get an idea of the problems they've encountered.

Whatsit  2009-03-06 18:10:22

related questions

Create query parameters in javascript
ASP.NET MVC: Making routes/URLs IIS6 and IIS7-friendly
Relative urls for Javascript files
How to play a sound in Actionscript 3 that is not in the same directory as the SWF?
Sending values through links (html)
PHP: GET-data automatically being declared as variables
How can I set a timeout against a BufferedReader based upon a URLConnection in Java?
Getting a full list of the URLS in a rails application
Is it the filename or the whole URL used as a key in browser caches?
How do I register a custom URL protocol in Windows?
getting java exception: java.net.MalformedURLException: no protocol
Why do some websites add "Slugs" to the end of URLs?
Friendly URLs for ASP.NET
How to generate urls in django
square brackets in URLs
Does new URL(...).openConnection() necessarily imply a POST?
How do I generate a friendly URL in Symfony PHP?
Getting parts of a URL (Regex)
.NET - Get protocol, host, and port
how to get locale information on a GWT application
How do I convert a file path to a URL in ASP.NET
Can I generate ASP.NET MVC routes from a Sitemap?
URL without ID
ASP.NET URL Rewriting
Modify Address Bar URL in AJAX App to Match Current State