Broken link hijacking (BLH) is a type of web attack. It exploits external links that are no longer valid. If your website or web application uses resources loaded from external URLs or points to such resources and these resources are no longer there (for example due to an expired domain), attackers can exploit these links to perform defacement, impersonation, or even to launch cross-site scripting attacks.
Defacement using Expired Links
If your company uses an external link shortening service, for example, to include short links in tweets, it may be possible that the link shortener goes out of business after some time and is no longer valid. This means that all your old links are now broken.
If an attacker purchases the domain used by the link shortening service that went out of business, they can substitute your original content with their own malicious content. Twitter and other social media sites often automatically parse such links and include any visual content such as a video. Therefore, the attacker could include offensive videos in all your old posts.
Read about how top celebrity tweets were hijacked using this technique.
Impersonation Due to Expired Domains
Another danger associated with expired domains is impersonation. If you own a domain and do not extend the registration of that domain, all links that include this domain may be used by an attacker, for example, to launch attacks relying on your reputation or to take over social media accounts registered using this expired domain.
Read about famous domain expirations that lead to problems for their original owners.
Stored XSS using BLH
Many websites and web applications use scripts loaded from external resources. These may be, for example, used to integrate with an external traffic analyzer similar to Google Analytics. If the traffic analyzer company goes out of business, this leaves a broken JavaScript link in your pages.
If an attacker takes over the domain of the external traffic analyzer, they can now place malicious scripts that will be automatically loaded by your web pages with every visit. This becomes a stored cross-site scripting attack that may have serious consequences.
How to Check for Broken Links
Broken links are often overlooked by penetration testers. For example, when top HackerOne researchers were asked whether they look for broken links as part of bug bounty programs, a majority of them answered that they don’t. Most web vulnerability scanners also don’t check for broken links.
Acunetix is one of the very few web vulnerability scanners that you can use to check for potential broken link hijacking as well as thousands of other web vulnerabilities and misconfigurations.
More Information about BLH
Use the following resources to learn more about broken link hijacking:
- The original article on the subject by EdOverflow (with more examples)
- A simple free broken link checker on GitHub (not necessary if you use Acunetix)
- Expired domain checker for tweets
Get the latest content on web security
in your inbox each week.