3 Ways to Prevent a URL Redirect Attack

Cybercriminals are sometimes stealthy in their attacks — especially when financial gains are involved. Hitting the jackpot requires time and patience. Hackers also employ “noisy” attacks that typically promote very radical or personal views on various subjects intended for victims and other website visitors to see.. Some common website attacks can be either noisy or stealthy, just like the notoriously clever URL redirect attack.

Cybercriminals use URL redirection attacks to take advantage of users’ trust. They redirect traffic to a malicious web page using URLs embedded in website code, an .htaccess file, or a phishing email. These attacks are frequent, too: high severity attacks, which include URL redirection attacks, were up 86% from 2021 to 2022.

For example, a cybercriminal might send a phishing email that includes a copycat of your website’s URL. This link might look like your website’s URL, but it is actually a phishing attack that will lead users to a malicious site with forms and login pages that request user credentials and personal information. Because the phishing site link appears legitimate and users believe they’re on a trusted website, they often willingly share personal information without suspicion.

Redirection attacks are also commonly used to perform other social engineering attacks, such as server-side request forgery and cross-site scripting (XSS) attacks.

How to spot a URL redirection vulnerability

Stealthy attacks are difficult to diagnose, including ones that redirect users. Some website owners don’t realize cybercriminals are at work until their web hosts suspend their sites or they notice significant drops in website traffic after checking tools such as Google Analytics.

Search engines also perform regular site scans and blacklist websites if they detect an infection. That being said, it can take quite some time before Google notifies you that your site is unsafe, which leaves your site’s visitors susceptible to potential security threats and puts your brand reputation at risk.

There are three common types of redirection vulnerabilities to look out for:

• Parameter-Based URL Redirection
• Session Restoration URL Redirection
• DOM Based Open Redirects

Parameter-based URL redirection is a method where the redirection destination is determined by the parameter value in the URL. For instance, a URL like “example.com/redirect?target=maliciousurl.com” would lead users to “maliciousurl.com” if the redirection logic is improperly configured. This technique is stealthy as it uses legitimate web services to redirect users to malicious sites.

To identify parameter-based URL redirection, look out for URLs that include query string parameters like "redirect," "url," "link," "target," and other suggestive terms or parameters that you’re not familiar with on your site. The parameter's value will typically be the destination website.

Session Restoration URL Redirection occurs when a user's session state is embedded in the URL to allow the user to bookmark or share their session. For instance, if a user interacts with a dynamic web application and their actions or inputs are saved as URL parameters, this URL can be used to restore the session later. While this is convenient for users, it can be exploited by attackers.

Malicious actors can manipulate the URL parameters to direct users to unintended content or to inject malicious scripts after user authentication. This redirection happens when users trust the familiar base domain and may not closely inspect the parameters, making them easy targets. Watch for unusually long URLs or many parameters to identify Session Restoration URL Redirection. Such URLs are prime candidates for this type of attack, especially if they are generated by web applications that rely heavily on user input. You should test session-based restoration URLs with a redirect URL appended to it, for example, https://example.com/login?returnUrl=https://www.sitelock.com. Then, ensure validation is applied to verify the URL.

DOM (Document Object Model) Based URL Redirection is a redirection attack executed in the DOM environment of the victim's web browser. It's different from other types of redirection attacks in that the actual page remains unchanged; instead, the client-side scripts in the page execute differently due to the malicious modifications in the DOM. For instance, if a web application uses JavaScript to read the document.location property and uses this to decide where to redirect the user, an attacker can manipulate this behavior to take advantage of an open redirection vulnerability that sends users to another site.

Website owners must be proactive regarding their website’s health and security. They can do this by using cybersecurity solutions that alert them to these attacks the moment they occur.

How to stop URL redirection attacks

Fortunately, protecting your website and your customers doesn’t have to be complicated or time-consuming. Start with these three crucial steps:

1. Use a web application firewall.

A web application firewall is a great first line of defense for directing malicious actors away from your website. Using a WAF guards your site against the most common types of attacks, and some solutions even provide security reports highlighting essential data (such as site traffic). A firewall allows you to monitor your traffic for significant declines, which is also one key sign of a URL redirect attack.

2. Use an automated website scanner.

An automated website scanner will help you detect malware in your site’s files and database faster than if you review them on your own. An effective website scanner should be able to detect and remove these active infections daily to minimize negative impacts on your business and customers.

3. Keep software up-to-date.

Cybercriminals typically gain unauthorized access to small business websites by exploiting outdated code. If you use a content management system, third-party plugins or widgets, or other software to enhance your site, you must be diligent about updating it to avoid open redirect vulnerabilities. Implement the patches and updates that developers release to fix existing vulnerabilities and mitigate new threats.

The cybersecurity landscape is changing rapidly each day, and it can be difficult to keep up with on your own. Having a trusted cybersecurity partner, like SiteLock, who knows how to prevent these attacks can save you time and keep your customers safe from malicious websites. Your customers’ trust is vital to the health of your small business — don’t let cybercriminals take advantage of it. SiteLock can help implement the steps above to protect your customers and ensure you can mitigate a URL redirection attack quickly.

Has your site been hacked? If so, learn about SiteLock's website hack cleanup services, and get help today.

Monique Becenti is a product and channel marketing specialist at SiteLock, a cloud-based website security provider currently protecting more than 16 million websites globally. Monique is passionate about improving the customer experience for all. SiteLock’s combination of dedicated research and developmental efforts, aggressive product road maps, and access to a massive global data set make the company a leading innovator in web security.