There is another potential vector when we are managing redirects, known as shorteners. Sometimes the URL generated by an application or created by a developer is too long or complex to remember; URL shorteners were invented for such cases.

URL shorteners are services where anyone can store a URL, temporary or permanently, and then the service will generate a new one. This new URL is shorter than the original and easy to remember. A user can access the resource, using this shorter URL. This will redirect the user to the original URL:

For example, imagine we have an original URL, such as the following:

http://www.testsiste.com/redirect?url=http://othersite.com/evil.php 

This looks malicious and a normal user may not want to click on it, even if it is encoded:

http://www.testsite.com/redirect?url=%68%74%74%70%3A%2F%2F%65%76%69%6C%77%65%62%73%69%74%65%2E%63%6F%6D%2F%70%77%6E%7A%2E%70%68%70 

It still looks weird, but if we use a shortener, we can get a URL that appears normal:

http://tinyurl.com/36lnj2a 

Here are some of the impacts of these kinds of URLs:

• They could have XSS attacks in them and the user, or even a browser, might not detect them.
• It is possible to disable warning notifications using them.
• It is possible to change paths in the original URL to upload files or extract files.
• It is very difficult to block them.