How I was able to takeover / hijack over the twitter broken link of redactxx.nl
What is Broken Link Hijacking?
Broken Link Hijacking is a technique used by attackers to take advantage of broken links on websites. When a website links to another page or resource, it’s possible that the linked page may be removed or moved to a new location, resulting in a broken link. Attackers can exploit these broken links by registering a new domain or website or social handle that has a similar name , username or URL structure as the linked resource.
Finding broken link and hijacking is always been known to the security researcher but how did I find that. :)
Motivation Behind Finding that Bug
I went for hunting bug of dutch gov after seeing cool swags they are providing and came across an multiple end-point of radact.nl/phpinfo.php which were revealing sensative info .
I checked all the phpinfo.php and found remote-server ip and when i did multiple cross verify the ip , I found ip to be of a same range all started with same server x.x.x.0/24
Now I grabed all the live ips within x.x.x.0/24 for this i used fping for grabing live ip . Grabbing live ip was not enough which means i also had check for the country code if that ip domain belong to nl [Netherlands] which is my requirement so to do this I made a small python script .
fping command :
fping -a -g x.x.x.0/24 2>/dev/null > live.ip
python script to check the domain country:
import requests
# Open the input file and read the IP addresses
with open('live.ip', 'r') as f:
ip_list = [line.strip() for line in f]
# Loop through the IP addresses and check their country codes
for ip in ip_list:
response = requests.get(f'https://ipapi.co/{ip}/country_code/')
if response.status_code == 200 and response.text.strip() == 'NL':
print(ip)1-liner will be :
fping -a -g x.x.x.0/24 2>/dev/null | tee -a live.ip && python3 live.py | tee -a nl.ip
Now I have ips that belong to *.nl , now I grabed the title and status of the ips to go though the selected website. To do this i used httpx to narrow down my search.
cat nl.ip | httpx --title --status-code -probe --follow-redirect --silent -o httpx_result.txtAfter doing 7–8 manual testing of website, i ended up with an http://ip/ which contains twitter account which is broken. I visited the ssl ip of that and found the orignal domain to be redact.nl and it was also broken on there on redact.nl
Now I knew what extactly I had to do next, the exploit were clear to me, I quickly created the twitter with that broken username and boom! it worked. When I click on the twitter , it was redirecting to my hijacked twitter account now.
I was successfully able to hijack the twitter account and reported immediately. But after 24 hours of submission I got reply mail that this domain of *.nl doesn’t comes under dutch central government.
I thought atleast I should publish a blog on this on here it is.
similar report on hackerone: https://hackerone.com/reports/1117079