Be wary with making this kind of website. I made something similar long time ago (urllengthener.sadale.net) and got my site reported for "spam campaign". Turns out that the spammer was abusing my site to generate spam link. I handled that promptly by shutting down my site and didn't receive any penalty for that.
The way how it worked is that the spammer used my urllengthener as a redirection service to a website that looks like an incomplete project, which is actually a disguise. There's javascript code on their site that if there's a URL fragment identifier (the hash thingie postfix for URL) detection mechanism and if the URL fragment identifier matches an ad of their own, it'd redirect to the actual spam ad.
(Remarks: example.org isn't the actual spam site. I just use this domain name as an example.)
I don't have the time for now but I think I should make a write up about that some time later.
And I've tested your service and apparently your site is vulnerable for the exact same kind of abuse as mine. I'd strongly recommend you to at least disabling redirection of URL fragment identifier. Example of URL that's prone to abuse: https://looooooooooooooooooooooooooooooooooooooooooooooooooo...
Spamhaus or another IP reputation provider will contact your hosting provide or ISP and warn them that either:
- You need to follow their best practices (which practically for me meant paying for a subscription)
- Or your upstream net block would be marked as untrustworthy (which basically blocks email delivery from that IP range)
You can imagine what your hosting provider or ISP will do with this.
Source: I ran a URL shortening service from 2004-2007 and this happened to me.
How is this different from GET arguments in the URL? I mean is this relates only to URL fragment, because javascript can parse URL parameters as well and any spam site can abuse it even with rewrite in the path part in the URL.
GET arguments are not redirected to the spam site because when the url redirection site has received the GET argument, the GET argument would generally be discarded/disregarded before redirecting the user to the spam site.
But you're not in control of fragment part. Server doesn't receive fragment for request, it's all managed completely by the browser. To handle this you need to do client side redirect with javascript.
So my idea would be getting looo.ong to create a special client-side redirection webpage that would remove the fragment part using Javascript before performing the redirection with Javascript. And no. Using HTTP redirection response on server side won't work.
EDIT: I've actually seen URL redirection websites that removes the fragment part so it should be doable. Perhaps the purpose of that is to avoid spam abuse.
thanks to the need for ES to accommodate SPA (one of the worse thing that has ever happens to the web), that allows ES/JS to change the URL of the page as long as it is within the same domain. What could go wrong. Don't try to make web a QT replacement. Crete your own freaking interface. Stop hijacking web as document based platform to squeeze everything in there.
The way how it worked is that the spammer used my urllengthener as a redirection service to a website that looks like an incomplete project, which is actually a disguise. There's javascript code on their site that if there's a URL fragment identifier (the hash thingie postfix for URL) detection mechanism and if the URL fragment identifier matches an ad of their own, it'd redirect to the actual spam ad.
Let's say the spammer owns example.org. The spammer would generate link with my service such that https://urllengthener.sadale.net/foobarbaz would redirect to https://example.org. Then it'd send spam with a link of https://urllengthener.sadale.net/foobarbaz#identifierXYZ to the victim. Then the victim would click on the link, which redirects him to https://example.org/#identifierXYZ, which would show victim the ad. https://example.org/ looks legit on its own and there is no log shown on the HTTP server because the URL fragment identifier is a client-side thing. I'm kind of thankful of that spam abuse report. Otherwise I might have never found out.
(Remarks: example.org isn't the actual spam site. I just use this domain name as an example.)
I don't have the time for now but I think I should make a write up about that some time later.
And I've tested your service and apparently your site is vulnerable for the exact same kind of abuse as mine. I'd strongly recommend you to at least disabling redirection of URL fragment identifier. Example of URL that's prone to abuse: https://looooooooooooooooooooooooooooooooooooooooooooooooooo...