## Tuesday, March 12, 2013

### A Safer Way to test the Validity/Safety of a Link

One thing that's always bothered me is figuring out if a link is legitimate or potentially a security risk. This is especially problematic with shortened URL's. I really dislike these and don't follow shortened URLs unless I absolutely know it's a trusted link. Many times just knowing the poster isn't enough to convince me to click a shortened URL as it's way to easy for someone to have their account compromised.

So how do you analyze the contents of a target link in a safer environment other than test-clicking willy-nilly in a browser?

To try and solve this problem I thought that using cURL might be a good way to solve this problem. cURL is a command-line utility which allows you to transfer data over various protocols, including http and https. It doesn't run any javascript or other client-side code so in theory should a safe way to get the contents of a webpage for closer inspection. You can also specify what kind of data gets sent along with your request such as user authentication, cookies, and/or form information.

For added security I decided to create a special virtual machine dedicate to this purpose. The virtual machine has unique usernames, passwords, and I make it a point to keep no sensitive information on the virtual machine. The OS I'm using for my virtual machine is Ubuntu 12.04 LTS Server 64-bit edition. It's easy to setup and provides the most basic interfaces necessary to do testing with. My reasoning is that the fewer software components I have installed the fewer potential vulnerabilities will be available for exploiting. I also avoid using Windows for this scenario because a vast number of malicious code is targeted towards Windows. This is not to say that Windows is necessarily less secure, just that people tend to target Windows more often than other operating systems because it's one of the most commonly used by your average consumer. Also the Ubuntu Server installation comes with cURL installed by default. Of course this is rapidly changing as the computer and information technologies industry changes. In the near future I wouldn't be surpised if there were more exploits targeted towards MacOS/Linux or mobile operating systems like Android/IOS.

Using cURL is fairly simple. I pass the URL I want to retrieve and dump it into a file for further analysis. To provide the most complete picture of what's going on I add the verbose options and ocassionally will use automatic redirection following. Just in case there's an infinite redirection it's possible to limit the number of redirections to follow (the default is 50).

curl -v --location helloworld922.blogspot.com > dump.log 2>&1


This command will dump the contents of the target url into dump.log for further analysis. It also redirects the stderr output into the log file in addition to the stdout output. stderr is used by curl for diagnostic type information such as request header information. I'm now free to examine the contents of the file to my hearts content in relative safety. Determining if a page is actually safe is a bit harder to do even with the contents at your disposal and I'm not going to go into the details here. Here's a short excerpt of the above command.

About to connect() to helloworld922.blogspot.com port 80 (#0)
Trying 74.125.225.203...
connected
> GET / HTTP/1.1
> User-Agent: curl/7.22.0 (x86_64-pc-linux-gnu) libcurl/7.22.0 OpenSSL/1.01 zlib/1.2.3.4 libidn/1.23 librtmp/2.3
> Host: helloworld922.blogspot.com
> Accept: */*
>
< HTTP/1.1 200 OK
< Content-Type: text/html; charset=UTF-8


And for a test, let's check out what a shortened URL dump might look like. I created a shortened URL which points to my blog: http://goo.gl/IxDdy (Note: read the ending note before trying to follow this link in a browser). Here's a small portion of the dump file:

About to connect() to goo.gl port 80 (#0)
Trying 74.125.225.194...
connected
> GET /IxDdy
> User-Agent: curl/7.22.0 (x86_64-pc-linux-gnu) libcurl/7.22.0 OpenSSL/1.01 zlib/1.2.3.4 libidn/1.23 librtmp/2.3
> Host: goo.gl
> Accept: */*
>
< HTTP/1.1 301 Moved Permanently
< Content-Type: text/html; charset=UTF-8
< Cache-Control: no-cache, no-store, max-age=0, must-revalidate
< Pragma: no-cache
< Location: http://helloworld922.blogspot.com/


Other than the one example shortened url I posted above as a demonstration, I'll never post a shortened URL in emails, blog posts, or any other type of posts so if you get something from me with a shortened url do NOT follow it! I wouldn't recommend you following the posted shortened URL, either. It's there purely for testing/demonstration purposes. I'm not entirely sure how shortened URLs maintain their life, but I wouldn't be too surprised if in the future it redirected to a potentially malicious page. You can test out the cURL method on the shortened URL for fun and see if it actually redirects to where I say it does :)

As a last note, sometimes the best solution is to just not follow the link.