Skip to content

Instantly share code, notes, and snippets.

@justrandomdev

justrandomdev/broken_link_hijacking.md

Forked from EdOverflow/broken_link_hijacking.md
Created October 9, 2017 09:51
Show Gist options
  • Save justrandomdev/ebe72520f25e2b88955e5a92a4a2596d to your computer and use it in GitHub Desktop.
Save justrandomdev/ebe72520f25e2b88955e5a92a4a2596d to your computer and use it in GitHub Desktop.
Download ZIP

Revisions

  1. @EdOverflow EdOverflow revised this gist Sep 4, 2017. 1 changed file with 9 additions and 9 deletions.
    18 changes: 9 additions & 9 deletions broken_link_hijacking.md
    View file
    Original file line number Diff line number Diff line change
    @@ -1,15 +1,15 @@
    # Broken Link Hijacking - How expired links can be exploited.

    # Broken Link Hijacking - How expired links can be exploited.
    Broken Link Hijacking (BLH) exists whenever a target links to an expired domain or page. Broken Link Hijacking comes in two forms, reflected and stored. This issue has been exploited in the wild numerous times, but surprisingly few researchers actively look for broken links in bug bounty programs.

    ![image](https://user-images.githubusercontent.com/18099289/30001780-873a820e-9098-11e7-9c53-ab746d322fc7.png)

    This post aims to give you a basic overview of the different issues that could possibly arise if a target links to an expired endpoint.

    # Stored Broken Link Hijacking

    ### Impersonation

    # Stored Broken Link Hijacking
    ### Impersonation
    When a company deletes their social media account they might forget to remove the link from their website. An attacker can create an account on the social media platform with that username and impersonate the company.

    ### External JS File Hijacking
  2. @EdOverflow EdOverflow revised this gist Sep 3, 2017. 1 changed file with 1 addition and 1 deletion.
    2 changes: 1 addition & 1 deletion broken_link_hijacking.md
    View file
    Original file line number Diff line number Diff line change
    @@ -101,7 +101,7 @@ $ blc -rof --filter-level 3 https://example.com/
    After a while I often find myself adapting it to something like this in order to prevent false positives:

    ```zsh
    $ blc -rfoi --exclude linkedin --filter-level 3 https://example.com/
    $ blc -rfoi --exclude linkedin.com --exclude youtube.com --filter-level 3 https://example.com/
    ```

    Link: https://github.com/stevenvachon/broken-link-checker
  3. @EdOverflow EdOverflow revised this gist Sep 3, 2017. 1 changed file with 1 addition and 1 deletion.
    2 changes: 1 addition & 1 deletion broken_link_hijacking.md
    View file
    Original file line number Diff line number Diff line change
    @@ -112,7 +112,7 @@ misterch0c released a little script that finds expired domains in tweets.

    Link: https://github.com/misterch0c/twitterBFTD

    # References
    ## References

    [Cure53]: https://github.com/cure53/HTTPLeaks
    [1] https://github.com/cure53/HTTPLeaks
  4. @EdOverflow EdOverflow created this gist Sep 3, 2017.
    118 changes: 118 additions & 0 deletions broken_link_hijacking.md
    View file
    Original file line number Diff line number Diff line change
    @@ -0,0 +1,118 @@
    # Broken Link Hijacking - How expired links can be exploited.

    Broken Link Hijacking (BLH) exists whenever a target links to an expired domain or page. Broken Link Hijacking comes in two forms, reflected and stored. This issue has been exploited in the wild numerous times, but surprisingly few researchers actively look for broken links in bug bounty programs.

    ![image](https://user-images.githubusercontent.com/18099289/30001780-873a820e-9098-11e7-9c53-ab746d322fc7.png)

    This post aims to give you a basic overview of the different issues that could possibly arise if a target links to an expired endpoint.

    # Stored Broken Link Hijacking

    ### Impersonation

    When a company deletes their social media account they might forget to remove the link from their website. An attacker can create an account on the social media platform with that username and impersonate the company.

    ### External JS File Hijacking

    If a target has an external JS file and that domain/page is expired, you can claim it and then you essentially have stored XSS.

    Say for instance example.edu has an external JS file hosted on example.com and example.com has expired.

    ```html
    <!DOCTYPE html>
    <html>
    <head>
    <meta charset="utf-8">
    <meta name="viewport" content="width=device-width">
    <title>Broken Link Hijacking</title>
    </head>
    <body>
    <script src="//example.com/script.js"></script>
    </body>
    </html>
    ```

    Now you can takeover example.com and can control the JS file on example.edu.

    ### Information Leakage

    Hijacking broken links which are missing the `rel="nofollow"` attribute could leak information to the attacker-controlled page. [[1]][Cure53]

    Also sometimes companies still link to expired analytics pages. If the attacker can hijack that expired page, they can monitor traffic and possibly gather valuable information about the target's users. Someone actually once found one of these on Gratipay's program: https://hackerone.com/reports/111078.

    ### Content Hijacking

    An attacker can hijack the content of a page by taking over the expired domain/page. A good example of this can be seen in [@MisterCh0c](https://twitter.com/MisterCh0c)'s blog post ["How I hijacked top celebrities tweets including Katy Perry, Shakira…"](https://hackernoon.com/how-i-hijacked-top-celebrities-tweets-including-katy-perry-shakira-fca3a0e751c6).

    ![image](https://user-images.githubusercontent.com/18099289/30002343-55a8dfc4-90a7-11e7-95b2-052bb5a1a5a3.png)

    # Reflected Broken Link Hijacking

    You know that feeling when you think you have reflected XSS, but cannot break out of the `href` or `src` attributes?

    If the link is a CDN or a file hosting service, you can construct a malicious link and host that file on the service. Admittedly, these are very rare, but definitely something to keep in mind in case you come across this issue in the future.

    ### Example Scenario

    http://example.edu/?version=1.0.0 returns a specific version of the JS file being hosted on cdn.example.

    ```html
    <!-- http://example.edu/?version=1.0.0 -->
    <!DOCTYPE html>
    <html>
    <head>
    <meta charset="utf-8">
    <meta name="viewport" content="width=device-width">
    <title>Broken Link Hijacking</title>
    </head>
    <body>
    <script src="//cdn.example/1.0.0/script.js"></script>
    </body>
    </html>
    ```

    cdn.example allows us to add our project and host a malicious JS file.

    ```html
    <!-- http://example.edu/?link=maliciouspath -->
    <!DOCTYPE html>
    <html>
    <head>
    <meta charset="utf-8">
    <meta name="viewport" content="width=device-width">
    <title>Broken Link Hijacking</title>
    </head>
    <body>
    <script src="//cdn.example/maliciouspath/script.js"></script>
    </body>
    </html>
    ```

    ## Tools

    ### broken-link-checker

    broken-link-checker will crawl a target and look for broken links. Whenever I use this tool I like to run:

    ```zsh
    $ blc -rof --filter-level 3 https://example.com/
    ```

    After a while I often find myself adapting it to something like this in order to prevent false positives:

    ```zsh
    $ blc -rfoi --exclude linkedin --filter-level 3 https://example.com/
    ```

    Link: https://github.com/stevenvachon/broken-link-checker

    ### twitterBFTD

    misterch0c released a little script that finds expired domains in tweets.

    Link: https://github.com/misterch0c/twitterBFTD

    # References

    [Cure53]: https://github.com/cure53/HTTPLeaks
    [1] https://github.com/cure53/HTTPLeaks