Almost everyone has heard of subdomain hijacking but what about broken link hijacking. These two vulnerabilities are very similar the major difference is that one involves a subdomain while the other involves an expired link on a page. Shout out to edoverflow, for explaining this technique in his blog post.
Broken link hijacking can be exploited to do many things but I will be talking about how to get stored XSS from expired links. The concept is actually fairly basic.
<html>
<head>
<title>Ghostlulz - Broken Link Hijacking</title>
</head>
<body>
<script src="vulnerable.com/javascript_file.js"></script>
</body>
</html>
As you can see above we have an HTML page that utilizes an external javascript file. This page is trying to import a file from "vulnerable.com". If this website is expired an attacker could buy the domain "vulnerable.com" and host their own malicious javascript file. The target application would then import this file which could cause stored XSS.
Thats it, all we are doing is registering an expired domain and uploading a malicious javascript file. Just make sure your XSS payload is stored in the malicious javascript file and your good to go.
Before you can take advantage of a broken link you have to find it. The following tool can be used to scan an application for broken links:
Once the tool is downloaded you can run the following command to scan an application:
blc -r --filter-level 2 https://starbucks.com | grep "\.js" | grep "BROKEN"
This tool will attempt to find all broken links on the page. Remember that if your looking for stored XSS you will have to find vulnerable javascript files that are being imported.
I always hear people talking about subdomain hijacking but I never hear anyone mentioning broken link hijacking. If you find a vulnerable javascript file you may be able to get stored XSS. Very few people know about this type of attack and even fewer are searching for it. This is the perfect recipe for easy wins.