- Local time
- Oct 5, 2019
after this tweet/thread
I got to the point to check all my applications I'm responsible for and see if there's a way for route hijacking.
Have you ever thought about it or come up with any measurements against it?
The scenario is that you have any kind of dynamic content which uses a string/slug as URL identifier without any unique prefix - for this example we will use Users because they are most common.
So all your users have a profile which is reachable via
Now you also have some static pages - lets say
The attack vector is that a malicious users detects this possibility and tries to hijack one of these pages by creating users with
cart and so on usernames.
There are several ways to prevent this, for sure the easiest and most common will be an "ugly" path-prefix
example.com/user/gummibeer. You can use something more beautiful by using
@ character as prefix, as long as your framework/router allows to use this special-char. Or for sure, the hardest and most insecure would be to maintain a list of reserved usernames/keywords. Or you make the ID or any other unique identifier public and use this as suffix - like webwide does it to prevent thread title clashes.