Links are one of the most important components in a website, web page or web application as you tend to always interact with them either directly or indirectly. However, if care is not taken, these links could be exploited and hijacked by malicious users when expired or no longer available.
Broken Link Hijacking is a type of cyber attack that exploits the use of expired or invalid external links embedded on your website. If your web application or website makes use of third party services or resources loaded from an external url or redirects to these services and they happen to not be available anymore or invalid (usually happens due to expired domains that are hijacked), hackers can exploit these vulnerable links to launch various types of cyber attacks like Cross Site Scripting, used to steal data and impersonation.
In this article, we are going to explore various vulnerabilities that could be exploited in Broken Link Hijacking and how to protect your site against them.
External Javascript Resources
If your website uses external javascript resources for analytics and insights for instance, it could be vulnerable to stored broken link hijacking if the domain the resources is expired and hijacked by a hacker.
The attacker now has full access and control of your website or webpage since they can easily modify the content of the files/links linked on your site.
For instance, we have a simple webpage, that uses mylytics.com services for site analytics and insights:
The link in the script src is responsible for collecting the site analytics and so on. Let’s assume the company shuts down and stops offering such services and the domain later gets expired. The domain could be easily reclaimed by anyone and update the content of the files/links connected to your webpage.
Whoever has that domain can now take over any webpage that has embedded that script on their web page including ours. This could lead to a lot of issues including impersonation, information and data leakage, and content hijacking.
Since the attacker can now modify the content of the js files linked to your website, it could be used to steal sensitive data on your webpage especially if you have a restricted portals/dashboard for authenticated users. It could be used to steal user information and even their login credentials if the malicious script is available on the login page.
The attacker can exploit this to launch XSS attacks by hijacking content of a webpage the script is present on. The content of the webpage can be changed entirely, embed a video or redirected to a malicious site based on events desired by the attacker. There’s a lot that could be done, if this is carried out successfully by the attacker.
To prevent this, ensure you are using trusted third party services, remove any defunct scripts and expired links on your webpage.
Anchor Tag: Target Blank XSS Vulnerability
Like I mentioned earlier, links are very important as they help connect different webpages (same or external sites) together. Most times, we tend to link external webpage/website to our website either for references or to get more info.
Links are usually created using the Anchor tag (<a></a>) in HTML:
Then you can further specify how you want it to open:
This simply tells the browser to open //example.com in a new tab. However this could open up a vulnerability if the url is not trusted or has been hijacked by an hacker due to expiration of the domain.
If you happen to construct your anchor links with the target=”_blank”, the page you linked to has partial access to your webpage if its opened. When opened, the newly opened tab has access to the window.opener object which can be used to control the main page.
With the window.opener object, the newly opened page, can manipulate and change the location or redirect the page to a malicious page using the window.opener.location.
Now this is where it gets tricky. The user already trusts the page they opened before clicking on the link to open this new page. The attacker can redirect the main page to a similar malicious cloned page, and then the user could enter sensitive data to that page without doubting it.
The attacker can easily use the code below to manipulate the page:
which redirects to the specified url – http://fakewebsite.com which could ask the user for sensitive data.
To fix this, you would need to add the rel attributes to have noopener noreferrer for all links on your website:
If you are using the Javascript window.open object to open a url:
This will also be vulnerable to this vulnerability. You would need to reset the opener to fix this:
You can also use Javascript to disable the location property for anchor links:
Reflected XSS: Broken Link
This is similar to the concept of normal reflected xss attacks made for broken links and works with linking of files like js and so on.
Let’s assume the link in this case is a file hosting service or a CDN link, a malicious use can create a link and host a malicious file on the service. This type of attack is very rare and you only get to see it once, but it’s always a good idea to know this for future reference.
Let’s look at a simple scenario on file hosting services: filehoster.net. To get a version of a specified filename, you would need to construct this: http://filehoster.net/?v=1.0.0 which is hosted on cdn.filehoster.net.
cdn.filehoster.net allows us to add our project and host a malicious JS file.
How to Fix Broken Link Hijacking
There are many methods you can employ to help fix broken link hijacking vulnerabilities, the simplest ones using a popular tool to detect expired links on your website.
Broken Link Checker is a command line tool for checking expired links and domain on your website easily. This will crawl any target website given and look for broken links.
You can install it from the source here: https://github.com/stevenvachon/broken-link-checker
You can easily check broken links for a website like below:
You can also exclude some domains to get better results: