Uncovering Broken Link Hijacking: Techniques, Real‑World Cases, and Detection Tools

Introduction

When a link points to an expired domain or page, Broken Link Hijacking (BLH) can occur. BLH has two types: reflected and stored. Although widely exploited in the wild, few researchers actively hunt for such links in bug bounty programs.

Stored BLH

2.1 Account Spoofing

When a company removes a social media account but leaves the link on its website, attackers can recreate the same account on the platform and impersonate the company.

2.2 External JS Hijacking

If an external JavaScript file is hosted on an expired domain, an attacker who takes over that domain can serve malicious code, achieving a stored XSS.

Example: <script src="//example.com/script.js"></script> where example.com has expired.

2.3 Information Leakage

Links lacking rel="noopener noreferrer" can leak information to the attacker‑controlled page when hijacked. Attackers may also monitor traffic to expired analytics pages to collect valuable data.

2.4 Content Hijacking

By taking over an expired domain, attackers can replace the page content. Notable cases include hijacking celebrity Twitter accounts.

Reflected BLH

When a reflected XSS vulnerability exists but the payload is constrained by href or src attributes, attackers can use expired links to bypass these restrictions.

3.1 Demonstration

Example: a page http://example.edu/?version=1.0.0 loads a JS file from cdn.example . If cdn.example is expired, an attacker can host a malicious script at the same path.

<script src="//cdn.example/1.0.0/script.js"></script>

Tools

4.1 broken-link-checker

Scans a target for expired links. Basic usage:

$ blc -rof --filter-level 3 https://example.com/

To reduce false positives, add exclusions:

$ blc -rfoi --exclude linkedin.com --exclude youtube.com --filter-level 3 https://example.com/

4.2 twitterBFTD

A small script published by misterch0c to find expired domains on Twitter.