NEW FEATURE
Cobalt PtaaS + DAST combines manual pentests and automated scanning for comprehensive applications security.
NEW FEATURE
Cobalt PtaaS + DAST combines manual pentests and automated scanning for comprehensive applications security.

Hunting for Broken Link Hijacking (BLH)

How often are you checking to ensure there are no broken links on your webpage? If you aren't checking, attackers could be taking advantage using a broken link hijacking attack. Core Pentester Harsh Bothra writes about what scenarios to watch out for.

Linking to external websites, blogs, and other web pages for various resources, credits, and reference statements is standard for referencing in the applications. For example, such outbound links are recommended for SEO purposes. 

Other times, applications might use external links for CDN or file hosting services, social media pages, or analytics pages. However, if security mechanisms are not implemented properly, these links may be hijacked by attackers when they expire, are unlinked, or become unavailable.

Broken link hijacking is an attack that takes advantage of expired, unlinked, or inactive external links embedded in a web page. For example, suppose an application uses resources or third-party services loaded from an external URL. 

In that case, if those resources or services are no longer available or are otherwise invalid (expired domains), attackers can hijack these links to carry out defacement (by buying expired domains), impersonation, or even cross-site scripting attacks.

Attack Scenario and Security Risks

Defacements

Changing the website's appearance or promoting it through external links can damage an organization's reputation. For example, if the website link expires and the attacker purchases the relevant domain, they might upload content entirely unrelated to the original. Such content might be offensive, deceptive, or malicious and go against the organization's guidelines.

Impersonation

Impersonation is a significant risk associated with broken link hijacking. To pose as well-known brands and users, threat actors use expired endpoints at the end of broken links. This causes significant reputational and financial damage.

Suppose a business closes or forgets to create a social media account but keeps the link on its website. By simply creating an account under that name, the hijacker can post offensive content or carry out phishing attacks while impersonating the business.

Example Scenario

Suppose exapleme.com has mentioned a Linkedin page URL on their website but needs to remember to create the page. As a result, when visiting the Linked page URL

https://www.linkedin.com/company/example-me shows a 404 page not found.

To exploit this, the attacker creates a fake Linkedin page and customizes the URL to "example-me" so that when a regular user visits the company's Linkedin page through the URL, they get redirected to the attacker's controlled Linkedin page.

Here is another example where the security researcher found a different kind of broken link hijacking attack where only android mobile users were affected.

When visiting the external link to Google Play Store, it showed a 404 not found. Then researcher built an application to exploit this vulnerability. 

Further, read - https://shahjerry33.medium.com/broken-link-hijacking-mr-user-agent-cd124297f6e6

External JavaScript Resources Hijacking 

Suppose the domain where the resources (images, JS files, etc.) are located expires and is taken over by an attacker. The website may be vulnerable to stored broken link hijacking if it uses external JavaScript resources.

An attacker can claim an expired domain that contains an external JS file on a target and use it to perform stored XSS or other attacks.

Assume that exampleme.com has an external JS file hosted on exampleme.tech that has expired.

<html>

<head>

  <meta charset="utf-8">

  <meta name="viewport" content="width=device-width">

  <title>Broken Link Hijacking</title>

</head>

<body>

  <script src="//exampleme.tech/storedxss.js"></script>

</body>

</html>

Now the attacker has control over exampleme.tech and the JS file on exampleme.com.

Since the attacker can now alter the JS files linked to the website, it might be used to steal sensitive information from the website (by executing client-side JS), primarily if the website has restricted access points or dashboards for authorized people. 

The malicious script on the login page might be used to steal user information, including their login credentials.

Tools to check for broken links


1. Dead Link Checker


Dead Link Checker crawls through your website, identifying broken links for you to fix them.

2. Broken Link Checker

It is a NodeJS-based CLI broken link scanner written by Steven Vachon.

 

Mitigations

Implement Sub-resource Integrity

Sub-resource Integrity (SRI) implementation is beneficial because it verifies the legitimacy of processed links. In addition, it ensures that the browser only loads links that have not changed in form or appearance since they were published.

In SRI, the integrity value adds a cryptographic hash of the content to the <script> or <link> code. The browser compares the requested instructions and the established integrity hash value rather than immediately processing a script. It rejects the request if the hashes do not match.

Add a Content Security Policy (CSP)

Adding a content-security-policy HTTP header to your server's responses allows you to examine the domains from which resources are loaded. A content security policy restricts the browser from loading resources from untrusted or unknown sources. Every resource that passes through the browser is authenticated.

Regular Scan for Broken Links

An effective vulnerability scanner displays all of your links along with their status, including whether or not they are active. So, make sure to remove any inactive links from your system from the results you get from your scanner.

References 


Cobalt Core Secret Sauce CTA Image 2022

Back to Blog
About Harsh Bothra
Harsh Bothra is a Security Engineer with expertise in Web application, API, Android Application, Thick Client, and Network Pentesting. He has over 5 years of experience in Cybersecurity and penetration testing. He has written multiple books on ethical hacking including Mastering Hacking and Hacking: Be a Hacker with Ethics, presented at various security conferences, and is an active bug bounty hunter. More By Harsh Bothra
Is BAS the Self-Driving Car of the Penetration Testing Industry?
BAS — Breach Attack Simulation — is one of the hot new acronyms on the block. Let's take a closer look.
Blog
May 5, 2022