Hello everyone, hope you all are doing good.
Today I have two interesting topics for you. Open Redirection(also known as URL Redirection) and Broken Link Hijacking. I have selected two vulnerabilities because they are not that complex and need very little explanation. So, let us dive into our maze and learn how to find them.
What is URL
URL simply stands for Uniform Resource Locator. It is a kind of address for a particular web page, and no two web pages can have the same URL. There can be more than one URL in a web application and each URL points to a web page. Here this web page is made up of HTML, CSS, and any programming language of choice and is hosted on a web server. Now if the URL is not pointing to anything then it has no page attached to it to show us.
URL Redirection
So, now you may understand what URL Redirection could be. We just make the URL of a web page redirect to the page that it is not destined for. Let me put this simply. Think of a URL as a postal address. You have a parcel with the address on it. You gave it to your friend and told him to courier it. But he is a bit mischievous. So he took a new envelope and wrote another address and posted it. So instead of it going to the address you assigned, it now goes to the address your friend assigned. In the same way, if you incorporate data into the target of redirection and if it is not validated, then it is called URL Redirection.
How to Find it
There are 3 types of URL redirections.
GET based — If the data is incorporated in the GET request of the URL
POST based — If the data is incorporated in the POST request of the URL
Header Based — If the data is incorporated in the Header of the URL
GET based
Simply switch on your Burp suite. Capture the GET Request and add any URL of your choice. Now forward it and see, if you get redirected.
GET /bing.com/?www.example.com/?page=2 HTTP/1.1
Host: www.example.comIf you are not seeing any redirection, try these steps
Try adding / before your target like ////bing.com/?
Or try encoding your URL like %2fbing.com%2f%3f
Or you can even try URL encoding like %2f%62%69%6e%67%2e%63%6f%6d%2f%3f
You can give your at the end of the main URL like www.example.com/?page=bing.com
Check if any of these work.
POST Based
This is also similar to the previous one, but here we are changing giving our input in the POST method.
POST /bing.com/?www.example.com/?page=2 HTTP/1.1
Host: www.example.comThis is not a severe vulnerability and is P5 in Bug crowd.
Header Based
In this, we add URLs using headers, such as X-Forwarded-Host, etc… And if it is redirected then it is vulnerable. But this is also a P5, so not that severe.
What is Broken Link Hijacking
Hijacking is simply taking over something without permission. And Broken Links are the links in the web page that are expired or invalid external links i.e, they do not point anywhere. So if we can steal those links and create our own malicious page in it, we can control the user who visits the page.
How to find it
Start by collecting all the web pages of the web application and see pages that are
not found i.e, code 404
Show message that the page is not available
Social media pages which don’t contain a page (See if the social media links are redirecting to their company pages. If they are just returning the home page, with their company URL, then you can create a fake account on behalf of their name and you can control their social handles and activity)
Impact
If the attacker gets hold of the page then he can make users submit confidential information pretending to be from the official site. This can cause huge damage to the organization.
Hope you enjoyed the article and learned something new today. I am thinking of starting a series on how to do recon for bug hunting. I would be giving my insights from basic recon to knowing everything about a web application. Do let me know your thoughts on this.
Catch you all in the next post with another vulnerability. Check out my Instagram to know more about Tips and Tricks to finding bugs.
Till then take care and Happy Hacking!!!👋👋
