I was reading Mike Rothman’s warning about the dangerousness of TinyURL, the famous URL shortener. Mike’s right of course. Someone could easily disguise a malicious URL and get you to click on a link that you wouldn’t have otherwise because it would have looked obviously like an XSS attempt by nature of the visible HTML tags. If you did click on the link you’d be redirected (301) to the malicious XSS URL and your sessions cookies to just about any website would have gone bye-bye or worse.
What I think we’re all missing though is that by just deciding not to use TinyURL we’re really not solving the client-side (browser) problem. What about the many other identical services like doiop, notlong, and shorturl? We can’t possibly memorize the names of all of them and remember to not click on their links. The point is if someone really wanted to get you to click on a malicious XSS link they will, no doubt. All they’d have to do is disguise and redirect it off any ol’ unrecognizable domain they control and you’d never get a chance to spot the XSS payload before hand.
So, here’s my feature request for the browser vendors that I don’t expect to be implemented until n + 1 versions from now. n being the version currently in beta. So that roughly means Firefox 4 or Internet Explorer 9. The URL from any 3XX redirect should not be allowed to contain <> characters. Or perhaps something less restrictive, say maybe no HTML tags allowed. Would that break anything? Sure, its not a perfect solution, but we have NOTHING now. Anyone want to try this out first by making a browser add-on?