Broken Link Hijacking
Description
This web application references external resources (such as JavaScript files or embedded frames) from domains that no longer resolve to valid IP addresses. These domains may have expired or been abandoned by their original owners. An attacker could register these expired domains and host malicious content at the original resource URLs, which would then be automatically loaded and executed by your application.
Remediation
Identify and remove all references to non-resolving domains from your web application. Follow these steps:
1. Audit external resources: Review all <script>, <iframe>, <link>, and <img> tags to identify resources loaded from external domains.
2. Verify domain status: Test each external domain to confirm it resolves correctly and is under trusted ownership.
3. Replace or remove broken links: For each non-resolving domain, either:
• Host the required resource locally within your application
• Update the reference to point to a valid, trusted CDN or domain
• Remove the reference entirely if the resource is no longer needed
4. Implement monitoring: Establish periodic checks to detect when external resources become unavailable.
Example of fixing a broken script reference:
<!-- Before (vulnerable) -->
<script src="https://expired-domain.com/library.js"></script>
<!-- After (fixed) - Option 1: Use local copy -->
<script src="/js/library.js"></script>
<!-- After (fixed) - Option 2: Use trusted CDN -->
<script src="https://cdn.example.com/library/1.0.0/library.js"
integrity="sha384-hash" crossorigin="anonymous"></script>