views:

277

answers:

5

I want to write a url shorten service. I trying to think of scenarios that would be dangerous. one I thought of was if a submitted url is from my own website, it would create an inifinite redirection loop.

can you guys think of any other situations? (security holes, bugs...)

+2  A: 

Instead of trying to think of the "Dangerous" scenarios, try and think of how you can write it without there being any risk to yourself regardless of any security holes / bugs.

Might not solve all of the problems you end up coming across but is a much better way of avoiding problems.

Robin Day
Most browsers will stop redirecting after they feel it's happened too many times. You can always check for the server name/IP when doing the URLs.
Nerdling
+1  A: 

Write it to avoid behavior that would be caused by security holes. In the case of your example, if you get more than x number of requests from the same IP in X time period.

Thinking along these lines will eliminate more threats than trying to block them up front.

AFHood
A: 

Many of the dangers in a service like this are not as dangerous to you as to the users of your service. If you do a search for TinyURL and security you'll find a lot of things like this:

http://www.readwriteweb.com/archives/tinyurl_being_used_to_bypass_safe_browsing_filters.php

I would do a lot of research on TinyURL and Bit.ly to see how they've addressed these issues.

As far as your own application goes, all of the standard best-practices apply. Validate input, insert safely into your database, etc.

Boden
A: 

You could always check to see if it comes from your service.

And if you are worried about it being a TinyURL to your tinier URL, you can always follow the link and if it ever ends up back at your site, kill it.

Jeremy
+2  A: 

You probably already know of it, but I feel obliged to point out TinyURL which does exactly what you're trying to do.
That said, there really aren't many technical problems that can arise, aside from the obvious infinite redirection one you describe. The bigger problems will be political -- people hiding spam, porn or malicious sites behind your urls, people creating 'amusing' urls pointing to somewhere they think is funny, and so on.
Have a look at the Wikipedia entry for TinyURL to get an idea of the problems they've encountered.

Whatsit