I have a website that allows others to share urls. To make sure noone enters "evil" sites I use the google safebrowsing api:
$url = 'https://safebrowsing.googleapis.com/v4/threatMatches:find?key='.$key;
$data = array(
'client' => array('clientId'=> $clientId, 'clientVersion'=>'0.1'),
'threatInfo' => array(
'threatTypes'=>array('MALWARE', 'SOCIAL_ENGINEERING','UNWANTED_SOFTWARE'),
'platformTypes'=> array('ANY_PLATFORM','ALL_PLATFORMS', 'ANDROID','WINDOWS','IOS','OSX','LINUX'),
'threatEntryTypes'=> array('URL'),
'threatEntries' => array('url'=>$tsturl)
),
);
$data_json=json_encode($data);
$ch=curl_init();
curl_setopt($ch, CURLOPT_URL, $url);
curl_setopt($ch, CURLOPT_HTTPHEADER, array('Content-Type: application/json'));
curl_setopt($ch, CURLOPT_POST, 1);
curl_setopt($ch, CURLOPT_POSTFIELDS,$data_json);
curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
$response = curl_exec($ch);
curl_close($ch);
This works as designed. So if I add a phishing site like thisisevil.com the api-call returns a warning.
But if someone uses an url shortener like tny.sh/abcefg which then redirects to thisisevil.com the safebrowsing-api does not show me there is a threat.
Is there a way to tell the secure browsing api to follow redirects?
You could always make a request to the URL you want to test and see if it redirects somewhere, and if so pass that redirected URL to the safebrowsing API.
But ultimately you can only make it harder, if someone wants to redirect to a malicious URL, they will. Blacklists are at best only partially effective.