How to reverse a shortened URL with a single command on GNU/Linux

Remember that old saying: if you don’t know the source, don’t click it? With all these new URL shortening services, that advice seems to have been thrown out the window. As a result, evildoers are embracing the technology to disguise their malware sites behind shortened URLs.

This is obviously effective as an URL like hxxps://goo.gl/3BSi65 would have a much easier time getting past your spamfilter than say something like hxxp://h4x0r.tld/inject.aspx

So why are the goliaths like Microsoft and Google using shortened URLs one might ask? Well, since they are nice enough to give us short and sweet URLs, we’ll let them track us, profile us and give us better targeted ads in return, a fair trade or what…

Anyhow, the technology behind a shortened URL is just a standard URL redirection, so by examining the HTTP header, it’s entirely possible to identity the “long URL” that a service is pointing to.

By using cURL we can fetch the HTTP header by querying a shortened URL. The answering server will then reveal the actual targeted URL.

Microsoft News twitter account

Microsoft News using spry.ly

Microsoft is using the spry.ly (Sprinklr) service on their twitter account, lets use the shortlink spr.ly/6016hkJE as an example.

curl -I http://spr.ly/6016hkJE

HTTP/1.1 301 Moved Permanently
Cache-Control: no-cache,no-store,must-revalidate
Cache-control: no-cache="set-cookie"
Content-Type: text/html;charset=UTF-8
Date: Mon, 08 Jun 2015 18:27:21 GMT
Expires: Thu, 01 Jan 1970 00:00:00 GMT
Location: http://blogs.msdn.com/b/visualstudio/archive/2015/05/29/extending-visual-studio-2015.aspx
Pragma: no-cache
Server: Sprinklr
...

Lets break it down by examining two rather self explanatory fields from the reply:

  1. HTTP/1.1 301 Moved Permanently:
    This part means exactly what it says, the URL has been moved and we should follow the new location provided by this server.
  2. Location: http://blogs.msdn.com/b/visualstudio/archive/2015/05/29/extending-visual-studio-2015.aspx:
    The actual URL the server is instructing us to use instead of the original shortlink.

When clicking a shortened URL your browser will automatically perform the instructed steps to navigate you to the designated target. Next time around though, why not inspect the URL with cURL beforehand.

Curl - Fetch the HTTP-header only

Curl- Fetching the HTTP-header only