What is Broken Link Hijacking?
So first thing first, let us define broken link hijacking, a very easy bug class. A web page generally loads with a lot of links to both on-site(host isn’t external) and external locations. Consider this: “a web app say example.com renders links which reference to external websites/domains, some of the links reference or lead a user to say https://huntingreads.com/blog/2021/broken-links. The huntingreads.com domain expires and isn’t used but example.com still embeds the link leading its to huntingreads.com/blog/2021/broken-links”. This is what a broken link hijacking means, a link embedded in a web app that is broken (not used) and so anyone can claim it.
The examples of broken links are not limited to domains, it could also be links to social accounts, that could be claimed by other people, project-names that aren’t used and could be used by attackers and thus impersonating legitimate user’s identity.
How did I find a BLH ?
Since putting it in steps would make it easier to understand, let us understand it piece by piece.
* The following link (not broken BTW) will take you to a new domain that helps in finding broken links:
I used the same and found a web app at a location was linking to a domain that didn’t exist.
* I bought the domain and claimed the domain it was linking and hence the link (full endpoint).
This is what it looked like:
Step1) Go to target.com/a/b/c and click on a link domain.com.au/blog/abc in NEW TAB
Step2) Buy domain.com.au (.com was claimed BTW) and buy a hosting.
Step3) Create dirs: /blog/abc
Step4) Upload: “This is a broken link hijacking POC” in /blog/abc.
Step5) Repeat Step1.
I attempted to explain this easily so even the novice to the bug bounty can understand, if you still do seem to have any questions, comment below like always. 🙂