Route/URL hijacking

Route/URL hijacking

Gummibeer

Astroneer
Moderator
Local time
01:56
Joined
Oct 5, 2019
Messages
1,161
Pronouns
he/him

Hey all,

after this tweet/thread


I got to the point to check all my applications I'm responsible for and see if there's a way for route hijacking.

Have you ever thought about it or come up with any measurements against it?

The scenario is that you have any kind of dynamic content which uses a string/slug as URL identifier without any unique prefix - for this example we will use Users because they are most common.
So all your users have a profile which is reachable via example.com/gummibeer
Now you also have some static pages - lets say blog, about-us, tos and cart.

The attack vector is that a malicious users detects this possibility and tries to hijack one of these pages by creating users with blog, cart and so on usernames.
There are several ways to prevent this, for sure the easiest and most common will be an "ugly" path-prefix example.com/user/gummibeer. You can use something more beautiful by using @ character as prefix, as long as your framework/router allows to use this special-char. Or for sure, the hardest and most insecure would be to maintain a list of reserved usernames/keywords. Or you make the ID or any other unique identifier public and use this as suffix - like webwide does it to prevent thread title clashes.

 

sfcgeorge

Sonic the developer
Gold Member
Local time
00:56
Joined
Oct 5, 2019
Messages
129
Pronouns
He/Him

In Rails at least the order of routes determines priority, so put dynamic routes at the bottom.

Personally I tend to keep things namespaced like /users/sfcgeorge but for more social sites users might not be happy with that. Could do Reddit style /u/sfcgeorge. Or I've seen some sites use subdomains for users which I think looks pretty nice sfcgeorge.example.com but can be technically more difficult depending on your setup

 

Gummibeer

Astroneer
Moderator
Local time
01:56
Joined
Oct 5, 2019
Messages
1,161
Pronouns
he/him

In Rails at least the order of routes determines priority, so put dynamic routes at the bottom.

Personally I tend to keep things namespaced like /users/sfcgeorge but for more social sites users might not be happy with that. Could do Reddit style /u/sfcgeorge. Or I've seen some sites use subdomains for users which I think looks pretty nice sfcgeorge.example.com but can be technically more difficult depending on your setup

In Laravel it's the same - but you still have to think/know about this risk. In most test cases this will never give any error. I mean who tests to create an imprint user without knowing about the possible problem this name could create.

Depending on language, framework and so on there are tons of possible solutions.
The main goal of this thread was to make people aware of it. For me this was never and in no company/project a topic. It also never was a problem, but primary because we always had pre- or sufixes because of other reasons.

This gets really bad if you have multiple entities with dynamic URLs in the same path/namespace.
Like users and companies.

I think this little path prefix like u for user or in CI tools gh for GitHub is pretty common.

 
Top