Almost all shortened URL handling should be avoided as it provides a hidden way of re-directing users to malicious websites.  However if one must process these for a rare legitimate need the getlinkinfo site below can be helpful.  And technical IT professionals can use CURL as recommended in SANS Internet Storm Center. 

https://isc.sans.edu/diary/Taking+Apart+URL+Shorteners/28980

Ever get a “shortened” url (bit.ly, tinyurl.com or whatever) and stress about “clicking that link”?  Or worse yet, have that “Oh No” moment after you just clicked it?  Or possibly tripped over such a link during IR and have to investigate it?  Is there a way to look at the link contents without a sandbox with a packet sniffer (or fiddler or burp or similar)?   This may be old news to some of you, but it’s really disturbing how even how many security folks will follow a shortened link.  It’s enough of a problem that “de-fanging” links is a standard feature in many mail filter / anti-spam products.

Sure, you could go to an online thing like https://getlinkinfo.com , but you don’t know who’s running those, or how they unshorten the link – you don’t want them to actually navigate to the site (which is the default in curl for instance) – more on this later.  For me, I wanted a CLI script that would take a short URL and return the original link – I might want to run that result through something else (a reputation filter or virustotal for instance).  Let’s take a closer look at how we can do that.  Luckily, most of these shorteners are very simple.  Let’s look at what’s behind a bit.ly request using curl: