1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

An obvious site vulnerablity you may not be aware of

Discussion in 'Black Hat SEO' started by stharthjw6j, Nov 5, 2015.

  1. stharthjw6j

    stharthjw6j BANNED BANNED

    Joined:
    Dec 23, 2013
    Messages:
    588
    Likes Received:
    250
    Well I wasn't aware of it anyway, but then I'm not the most tech-savvie person there ever was. Here is the hack: I had my robots.txt locked in, had my site deindexed from the search engines, etc. But a good samaritan told me he had access to all my downloads simply by going to http://www.mywebsite.com then going through the alphabet.

    http://www.mywebsite.com/a
    http://www.mywebsite.com/b
    and so on.

    ****What browsers do is fill the rest of the URL just from the first letter after the slash. So if you have a download page on http://www.mywebsite.com/myproduct, they only have to enter:

    http://www.mywebsite.com/m

    then their browser will auto-fill it to http://www.mywebsite.com/myproduct, and people can access your inner pages. Try it on your websites now to check if this is happening to you. It's such a simple hack you might miss it.

    If this is boringly obvious to some of you, then have yourselves a clever cake, but I hope that helps some of the more technical caveman types on here. It was quite a surprise to me.
     
  2. Cryogenesis

    Cryogenesis Jr. VIP Jr. VIP

    Joined:
    Sep 1, 2013
    Messages:
    1,755
    Likes Received:
    2,445
    Gender:
    Male
    Location:
    India
    Home Page:
    Browsers don't start filling in those addresses automatically until you've visited the URL already a few times or bookmarked it.
    Am I missing something here?
     
    • Thanks Thanks x 8
  3. stharthjw6j

    stharthjw6j BANNED BANNED

    Joined:
    Dec 23, 2013
    Messages:
    588
    Likes Received:
    250
    The guy went through the whole alphabet and hadn't come to the pages before, he used the method to discover the pages, including the downloads. I tried it on some other sites and found pages I wasn't meant to see.
     
  4. handmadebots

    handmadebots Senior Member

    Joined:
    Nov 8, 2012
    Messages:
    962
    Likes Received:
    217
    Home Page:
    True.
    The browser won't redirect http://domain.com/s to http://domain.com/some_important_stuff unless you've visited http://domain.com/some_important_stuff before
    or if your web server is set to redirect http://domain.com/s to http://domain.com/some_important_stuff

    Anyway, if you're selling something, and you go to http://domain.com/product, it should be forbidden. You should be able to see/download the product, only after
    you've authenticated.

    Leaving your product "open" in the wild, without authentication, it just almost as bad as it can get :)
     
    Last edited: Nov 5, 2015
  5. stharthjw6j

    stharthjw6j BANNED BANNED

    Joined:
    Dec 23, 2013
    Messages:
    588
    Likes Received:
    250
    I think the best way to explain this is with a demo. here is a random website: http://mrplumberindy.com/ Now go through the alphabet and you'll get redirected.
     
    • Thanks Thanks x 1
  6. Cryogenesis

    Cryogenesis Jr. VIP Jr. VIP

    Joined:
    Sep 1, 2013
    Messages:
    1,755
    Likes Received:
    2,445
    Gender:
    Male
    Location:
    India
    Home Page:
    Wow that is weird!
    First site I've come across to do that redirection. I'm gonna end up trying this on every site I visit now haha. :D
    Thanks op.
     
  7. stharthjw6j

    stharthjw6j BANNED BANNED

    Joined:
    Dec 23, 2013
    Messages:
    588
    Likes Received:
    250
    Lol, well it wasn't meant to be a hack idea, it was meant to warn you to check your websites for this vulnerability. But you're welcome.
     
  8. mickyfu

    mickyfu Jr. VIP Jr. VIP

    Joined:
    Dec 14, 2011
    Messages:
    7,221
    Likes Received:
    20,788
    Occupation:
    King Of Crypto C
    Location:
    Solihull Young Offenders
    This is true. I just typed in godofseo.ca/c and it came up with godofseo.ca/child-porn.
     
    • Thanks Thanks x 9
  9. TurkishDelight

    TurkishDelight Regular Member

    Joined:
    Sep 16, 2015
    Messages:
    219
    Likes Received:
    122
    rough breakup with your ex?
     
  10. Dokezar

    Dokezar Regular Member

    Joined:
    Sep 21, 2015
    Messages:
    320
    Likes Received:
    201
    Gender:
    Male
    Location:
    India
    WOW!! It really works!! :D Thanks OP.
     
  11. bartosimpsonio

    bartosimpsonio Jr. VIP Jr. VIP Premium Member

    Joined:
    Mar 21, 2013
    Messages:
    12,492
    Likes Received:
    11,190
    Occupation:
    CHEAP
    Location:
    DATASETS
    Home Page:
    OP you better look further into this issue. There's something else going on there.
     
  12. mickyfu

    mickyfu Jr. VIP Jr. VIP

    Joined:
    Dec 14, 2011
    Messages:
    7,221
    Likes Received:
    20,788
    Occupation:
    King Of Crypto C
    Location:
    Solihull Young Offenders
    Yeah it was pretty rough, but what else can you do when he does not satisfy you? That little two incher could not even make a chicken gag.
     
  13. Cryogenesis

    Cryogenesis Jr. VIP Jr. VIP

    Joined:
    Sep 1, 2013
    Messages:
    1,755
    Likes Received:
    2,445
    Gender:
    Male
    Location:
    India
    Home Page:
    He refers to Charles Floate.
     
  14. mickyfu

    mickyfu Jr. VIP Jr. VIP

    Joined:
    Dec 14, 2011
    Messages:
    7,221
    Likes Received:
    20,788
    Occupation:
    King Of Crypto C
    Location:
    Solihull Young Offenders
    I think he knows, probably a Charlie fanboy.
     
  15. archon10

    archon10 BANNED BANNED

    Joined:
    Oct 10, 2011
    Messages:
    1,181
    Likes Received:
    1,668
    This isn't a hack. This is the way the site is configured. It's trying to "guess" an appropriate page for the user. He has a canonical set on the landing page, so I suppose it would work OK. The only problem I could see is that redirecting everything could get confusing for the crawler and possibly the user. If I type "plumbing tools" into Google and I find this guy's site. Suppose he deleted the plumbing tools page and no longer sells them, so I'm redirected to a random page that has nothing to do with my search, I bounce and go to a competitor site, which could send low quality signals.

    I think it would be better to leave a 404 page and just provide links to users that says "we no longer have this product, but here are products you might like instead."
     
    • Thanks Thanks x 1
  16. davids355

    davids355 Jr. VIP Jr. VIP

    Joined:
    Apr 25, 2011
    Messages:
    10,199
    Likes Received:
    7,849
    Home Page:
    Yea something you are missing OP - no way a browser will do that, unless he means that when he actually visits site.com/c it redirects him, if thats the case, as said above its probably redirect script in place.
    Or he has visited your site previous and just forgot about it.
     
  17. Pergonde

    Pergonde Junior Member

    Joined:
    Jan 7, 2015
    Messages:
    126
    Likes Received:
    29
    Occupation:
    IT Spec
    Location:
    EU
    Phew, just checked my sites. Nothing like that. Only 301/404 :)
     
  18. moonshine7000

    moonshine7000 Senior Member

    Joined:
    Mar 4, 2013
    Messages:
    1,046
    Likes Received:
    419
    Occupation:
    A+ IT technician,Clickbank and Amazon Marketer
    I see what you are saying is true.I tried it on my website I'm getting 404 returns not working.
     
  19. praetserge

    praetserge Power Member

    Joined:
    Apr 4, 2014
    Messages:
    651
    Likes Received:
    167
  20. TurkishDelight

    TurkishDelight Regular Member

    Joined:
    Sep 16, 2015
    Messages:
    219
    Likes Received:
    122

    I'm aware, but he and that other guy are way too obsessed