BROKEN LINK HIJACKING

Source: https://proviesec.medium.com/

What is Broken Link?

A broken link is a hyperlink that points to a page or resource that
does not exist. Most often, these linked pages were deleted or
moved without a redirection set up. When the user or crawler
follows a broken link, the server returns a 404 (Not found) or 410
(Gone) status code.

What is Broken Link Hijacking?

Broken link hijacking (BLH) is a type of web attack. It exploits
external links that are no longer valid. If your website or web
application uses resources loaded from external URLs or points to
such resources and these resources are no longer there (for
example due to an expired domain), attackers can exploit these
links to perform defacement, impersonation, or even to launch
cross-site scripting attacks.

In short,
1
 Broken link hijacking is an attack that takes advantage of expired,
unlinked, or inactive external links embedded in a web page. For
example, suppose an application uses resources or third-party
services loaded from an external URL.

How to detect Broken Link Hijacking?

For some vulnerability scanners, notably Acunetix by Invicti,
security scan results include information about broken links that
return 404 or similar errors. This also covers external links that
may result in broken link hijacking. If not, you can use broken
link checker tools like Siteinspector or Octopus. Many SEO
packages also have functionality for detecting incorrect external
links.

Even so, dead link checkers can only detect a small number of
potential BLH targets because they can only find BLH if the link
fails. If the domain provider decides to create their own redirect
and landing page for every URL within an expired domain (as is
standard practice), crawls will not be able to distinguish between
this placeholder and a valid page.

The only method to ensure comprehensive security is to do

manual penetration testing on a regular basis to detect such
occurrences. Unfortunately, pentesters frequently ignore damaged
links, presumably because they are considered an administrative
rather than security issue. For example, when top HackerOne

2
researchers were asked if they check for broken links as part of
bug bounty programs, the vast majority said no.

Some Examples of Broken Link Hijacking

With thousands of domains expiring every day, broken links are
common. Not all of these result in broken link hijacking but all
have the potential to do so. Here are a few noteworthy examples.
• In 1999, Microsoft forgot to renew the passport.com domain
used by its Hotmail email service. The renewal was picked
up by a random Internet user, who then contacted Network
Solutions. Microsoft thanked the user with a $500 check,
which was then auctioned off for charity. Microsoft made
another mistake in 2003, this time allowing a private
individual to purchase the domain hotmail.co.uk, fortunately
also without malicious intent.
• In 2010, Foursquare failed to renew its domain name.
Luckily, their homepage was simply replaced by a default
hosting landing page (GoDaddy), and no one purchased the
domain before it was renewed.
• In 2013, one of the largest banks in the United States,
Regions Bank, experienced a similar mishap. Failure to
renew their primary domain resulted in a nearly week-long
service outage.
• In 2017, a vulnerability researcher known as MisterCh0c
conducted an analysis that allowed him to hijack tweets from
Katy Perry, Shakira, Jennifer Lopez, Maroon 5, and others.
These Twitter accounts had links to either non-existent
3
 redirection/link-shortening services or links to expired
domains. From the top 1000 Twitter accounts, MisterCh0c
was able to locate 109 accessible domains. This resulted in
the creation of twitterBFTD, a tool that allows you to
determine whether your tweets are affected by this issue.
• In the past, well-known link-shortening services have also
gone out of business or been retired. The discontinuation of
Google’s goo.gl service did not result in BLH, but the
closure of tr.im in 2009 resulted in the domain being
available for sale.
What Makes BLH Attacks Possible?
Link Hijacking attacks occur because the website/ web
application continues to contain links to expired/ stale
resources/pages (loaded using external URLs).

Given the relentless transformation of the Web, all externally

loaded resources will not remain unaltered and accessible forever.
There could be domain expiry, deletion of page/ resource/ account,
website restructuring, business rebranding/ acquisition, etc. that
could cause outbound links to rot/ expire.

4
Impacts of Broken Link Hijacking
• Defacements: By purchasing expired domains and using the
broken links on websites/ web applications, attackers can
engage in defacements. They can change your original
content to their malicious or offensive content. This could
lead to an erosion of the company’s reputation, customer
attrition, and distribution of malware.
Several celebrity social media accounts have been affected
by BLH attacks.
• Stored XSS Attacks: Often, companies load scripts from
external locations/ resources for several reasons. For instance,
Caching JavaScript (JS) to speed up page loading
Separation of HTML and JS for easier maintenance
Link to traffic analysis, etc.
If these links are broken, the attacker may take over the
domain or resources and substitute the scripts. This leads to
stored XSS attacks with malicious scripts loading
automatically on the web pages with every visit.
• Impersonation:Another big risk associated with BLH is
impersonation. Broken link hijackers leverage expired
endpoints (expired domains, deleted social media accounts,
etc.) at the end of broken links to impersonate companies and
high-profile users. This causes heavy reputational and
financial damage.

5
 For instance, a company may delete a social media account
but leave the link on their website. The hijacker will simply
create an account with that name and post something
objectionable or engage in phishing, posing as the company.
• Other Security Risks include:
1. Content Hijacking
2. Information Leakage
3. Phishing Attacks

Mitigations
• Regularly monitor and update external links
• Manage expired domains proactively
• Use caution with third-party services
• Implement link cloaking (carefully)
• Keep software updated
• Employ security measures
• Stay informed about BLH techniques

6
References
➔ https://www.acunetix.com/blog/web-security-zone/broken-
link-hijacking/
➔ https://www.cobalt.io/blog/hunting-for-broken-link-
hijacking-blh
➔ https://www.indusface.com/blog/what-is-broken-link-
hijacking/
➔ https://proviesec.medium.com/broken-link-hijacking-what-it-
is-and-how-to-get-bounties-with-it-ca64db6a3f74
➔ https://gemini.google.com/