Linking to external websites, blogs, and other web pages for various resources, credits, and reference statements is standard for referencing in the applications. For example, such outbound links are recommended for SEO purposes.
Other times, applications might use external links for CDN or file hosting services, social media pages, or analytics pages. However, if security mechanisms are not implemented properly, these links may be hijacked by attackers when they expire, are unlinked, or become unavailable.
Broken link hijacking is an attack that takes advantage of expired, unlinked, or inactive external links embedded in a web page. For example, suppose an application uses resources or third-party services loaded from an external URL.
In that case, if those resources or services are no longer available or are otherwise invalid (expired domains), attackers can hijack these links to carry out defacement (by buying expired domains), impersonation, or even cross-site scripting attacks.
Attack Scenario and Security Risks
Defacements
Changing the website's appearance or promoting it through external links can damage an organization's reputation. For example, if the website link expires and the attacker purchases the relevant domain, they might upload content entirely unrelated to the original. Such content might be offensive, deceptive, or malicious and go against the organization's guidelines.
Impersonation
Impersonation is a significant risk associated with broken link hijacking. To pose as well-known brands and users, threat actors use expired endpoints at the end of broken links. This causes significant reputational and financial damage.
Suppose a business closes or forgets to create a social media account but keeps the link on its website. By simply creating an account under that name, the hijacker can post offensive content or carry out phishing attacks while impersonating the business.
Example Scenario
Suppose exapleme.com has mentioned a Linkedin page URL on their website but needs to remember to create the page. As a result, when visiting the Linked page URL
https://www.linkedin.com/company/example-me shows a 404 page not found.
To exploit this, the attacker creates a fake Linkedin page and customizes the URL to "example-me" so that when a regular user visits the company's Linkedin page through the URL, they get redirected to the attacker's controlled Linkedin page.
Here is another example where the security researcher found a different kind of broken link hijacking attack where only android mobile users were affected.
When visiting the external link to Google Play Store, it showed a 404 not found. Then researcher built an application to exploit this vulnerability.
Further, read - https://shahjerry33.medium.com/broken-link-hijacking-mr-user-agent-cd124297f6e6
External JavaScript Resources Hijacking
Suppose the domain where the resources (images, JS files, etc.) are located expires and is taken over by an attacker. The website may be vulnerable to stored broken link hijacking if it uses external JavaScript resources.
An attacker can claim an expired domain that contains an external JS file on a target and use it to perform stored XSS or other attacks.
Assume that exampleme.com has an external JS file hosted on exampleme.tech that has expired.
<html>
<head>
<meta charset="utf-8">
<meta name="viewport" content="width=device-width">
<title>Broken Link Hijacking</title>
</head>
<body>
<script src="//exampleme.tech/storedxss.js"></script>
</body>
</html>
Now the attacker has control over exampleme.tech and the JS file on exampleme.com.
Since the attacker can now alter the JS files linked to the website, it might be used to steal sensitive information from the website (by executing client-side JS), primarily if the website has restricted access points or dashboards for authorized people.
The malicious script on the login page might be used to steal user information, including their login credentials.
Tools to check for broken links
1. Dead Link Checker
Dead Link Checker crawls through your website, identifying broken links for you to fix them.
2. Broken Link Checker
It is a NodeJS-based CLI broken link scanner written by Steven Vachon.
Mitigations
Implement Sub-resource Integrity
Sub-resource Integrity (SRI) implementation is beneficial because it verifies the legitimacy of processed links. In addition, it ensures that the browser only loads links that have not changed in form or appearance since they were published.
In SRI, the integrity value adds a cryptographic hash of the content to the <script> or <link> code. The browser compares the requested instructions and the established integrity hash value rather than immediately processing a script. It rejects the request if the hashes do not match.
Add a Content Security Policy (CSP)
Adding a content-security-policy HTTP header to your server's responses allows you to examine the domains from which resources are loaded. A content security policy restricts the browser from loading resources from untrusted or unknown sources. Every resource that passes through the browser is authenticated.
Regular Scan for Broken Links
An effective vulnerability scanner displays all of your links along with their status, including whether or not they are active. So, make sure to remove any inactive links from your system from the results you get from your scanner.