Webwide is the inclusive forum community for web designers, developers & makers.

Whether you're an enthusiast, in training, or a seasoned pro – you'll fit right in at Webwide. We understand that our community is one of creation which is why we, unlike many other discussion forums, encourage sharing of your own projects and content. Creating a forum account is fast, easy and completely free so you can start participating right away.

Read our Code of Conduct

Free Forum Membership Benefits

  • Participate in hundreds of interesting discussions
  • Network with industry peers and make new connections
  • Show off your own projects and relevant content
  • Get help and feedback for your coding and designs
  • Buy and sell services and resources in the marketplace
  • Participate in our friendly community challenges
  • Earn trophies and work your way up our leaderboards
  • Enjoy exclusive Webwide member discounts and offers
  • ...and so much more!

Route/URL hijacking

Gummibeer

Astroneer
Joined
Oct 5, 2019
Messages
926
Reaction score
788
Points
785
Age
27
Location
Hamburg, Germany
Local Time
Today, 07:24
Website
gummibeer.de
Credits
1,726
Real Name
Tom Witkowski
Hey all,

after this tweet/thread

I got to the point to check all my applications I'm responsible for and see if there's a way for route hijacking.

Have you ever thought about it or come up with any measurements against it?

The scenario is that you have any kind of dynamic content which uses a string/slug as URL identifier without any unique prefix - for this example we will use Users because they are most common.
So all your users have a profile which is reachable via example.com/gummibeer
Now you also have some static pages - lets say blog, about-us, tos and cart.

The attack vector is that a malicious users detects this possibility and tries to hijack one of these pages by creating users with blog, cart and so on usernames.
There are several ways to prevent this, for sure the easiest and most common will be an "ugly" path-prefix example.com/user/gummibeer. You can use something more beautiful by using @ character as prefix, as long as your framework/router allows to use this special-char. Or for sure, the hardest and most insecure would be to maintain a list of reserved usernames/keywords. Or you make the ID or any other unique identifier public and use this as suffix - like webwide does it to prevent thread title clashes.
 
  • Like
Reactions: Adam

sfcgeorge

Sonic the developer
Gold Member
Joined
Oct 5, 2019
Messages
105
Reaction score
119
Points
460
Location
London, England
Local Time
Today, 06:24
Website
www.sfcgeorge.co.uk
Credits
404
Pronouns
He/Him
Real Name
Simon George
In Rails at least the order of routes determines priority, so put dynamic routes at the bottom.

Personally I tend to keep things namespaced like /users/sfcgeorge but for more social sites users might not be happy with that. Could do Reddit style /u/sfcgeorge. Or I've seen some sites use subdomains for users which I think looks pretty nice sfcgeorge.example.com but can be technically more difficult depending on your setup
 
  • Like
Reactions: Gummibeer

Gummibeer

Astroneer
Joined
Oct 5, 2019
Messages
926
Reaction score
788
Points
785
Age
27
Location
Hamburg, Germany
Local Time
Today, 07:24
Website
gummibeer.de
Credits
1,726
Real Name
Tom Witkowski
In Rails at least the order of routes determines priority, so put dynamic routes at the bottom.

Personally I tend to keep things namespaced like /users/sfcgeorge but for more social sites users might not be happy with that. Could do Reddit style /u/sfcgeorge. Or I've seen some sites use subdomains for users which I think looks pretty nice sfcgeorge.example.com but can be technically more difficult depending on your setup
In Laravel it's the same - but you still have to think/know about this risk. In most test cases this will never give any error. I mean who tests to create an imprint user without knowing about the possible problem this name could create.

Depending on language, framework and so on there are tons of possible solutions.
The main goal of this thread was to make people aware of it. For me this was never and in no company/project a topic. It also never was a problem, but primary because we always had pre- or sufixes because of other reasons.

This gets really bad if you have multiple entities with dynamic URLs in the same path/namespace.
Like users and companies.

I think this little path prefix like u for user or in CI tools gh for GitHub is pretty common.
 
Top