Broken Link Hijacking

Slack Group

Before we get started I have started a slack group dedicated to hacking. We welcome everyone from beginner to advanced to join. I will be on everyday answer questions, doing CTFs, and talking about cool hacks. If you enjoy hacking and are looking for like minded people join below:

NEW Hacking Group Slack Channel

Introduction

Almost everyone has heard of subdomain hijacking but what about broken link hijacking. These two vulnerabilities are very similar the major difference is that one involves a subdomain while the other involves an expired link on a page. Shout out to edoverflow, for explaining this technique in his blog post.

Stored XSS

Broken link hijacking can be exploited to do many things but I will be talking about how to get stored XSS from expired links. The concept is actually fairly basic.


<html>
<head>
  <title>Ghostlulz - Broken Link Hijacking</title>
</head>
<body>
  <script src="vulnerable.com/javascript_file.js"></script>
</body>
</html>

As you can see above we have an HTML page that utilizes an external javascript file. This page is trying to import a file from “vulnerable.com”. If this website is expired an attacker could buy the domain “vulnerable.com” and host their own malicious javascript file. The target application would then import this file which could cause stored XSS.

Thats it, all we are doing is registering an expired domain and uploading a malicious javascript file. Just make sure your XSS payload is stored in the malicious javascript file and your good to go.

Broken Link Checker

Before you can take advantage of a broken link you have to find it. The following tool can be used to scan an application for broken links:

Once the tool is downloaded you can run the following command to scan an application:

 blc -r –filter-level 2 https://starbucks.com  | grep “\.js” | grep “BROKEN”

blc scan

This tool will attempt to find all broken links on the page. Remember that if your looking for stored XSS you will have to find vulnerable javascript files that are being imported.

Conclusion

I always hear people talking about subdomain hijacking but I never hear anyone mentioning broken link hijacking. If you find a vulnerable javascript file you may be able to get stored XSS. Very few people know about this type of attack and even fewer are searching for it. This is the perfect recipe for easy wins.

1 thought on “Broken Link Hijacking”

Leave a Reply

Your email address will not be published. Required fields are marked *