Mobile app version of vmapp.org
Login or Join
Chiappetta492

: 301 redirect script being abused - for what purpose? Background A few years ago we wrote a 301 redirect script that could be used by our clients to establish first party cookies before redirecting

@Chiappetta492

Posted in: #301Redirect #Redirects

Background

A few years ago we wrote a 301 redirect script that could be used by our clients to establish first party cookies before redirecting to their site (which in turn contained an iframe of ours which by that point could create/read first party cookies).

Something like www.ourdomain.com/redirect?return=http://clientdomain.com/clientpage
Which would establish a first party cookie then issue a 301 to the return parameter.

Issue

We have noticed a dramatic increase in seemingly malicious requests for this page, with odd destination parameters. For example:


/redirect?return=http://bfvev.freetzi.com
/redirect?return=http://www.youtube.com/watch?v=l456e7O9ZGY
/redirect?return=http://www.cognoschina.net/home/link.php?url=http://www.tklife.com.cn/home/link.php?url=http://www.kamyarshah.com/Marketing/
/redirect?return=http://www.m-bo.ru/bitrix/rk.php?goto=http://Abolished-your-mythology.tumblr.com/post/77355569234/shiv-shankaran-nair-the-deal-architect
/redirect?return=http://www.superdoctors.com/redirect?r=http://www.tklife.com.cn/home/link.php?url=http://www.kamyarshah.com/Marketing/
/redirect?return=http://www.slider.com/r.php?url=http://www.tklife.com.cn/home/link.php?url=http://www.kamyarshah.com/Marketing/
/redirect?return=http://ufacity.info/bitrix/redirect.php?event1=&event2=&event3=&goto=http://www.tklife.com.cn/home/link.php?url=http://www.kamyarshah.com/Marketing/
/redirect?return=http://www.x666xx.ru/redir.php%3Fhttp%3A//gesundheitstest.org/%3Fs%3Dzurueckbegleitendes
/redirect?return=http://www.dloutstanding.com/home/link.php?url=https://www.youtube.com/watch?v=E3xd_YTntRw
/redirect?return=http://www.thehighguy.ca/groups/does-a-link-developing-instrument-work-751305441/


Many of these are simple redirects to other domains (#1, #2 , #10 ).

Many are 301s to other sites that look like they'll issue 301s as well - someone is chaining 301s (#3, #4 , #5, #6, #7, #8, #9).

In some cases, someone is using us and a set of different third party 301 scripts to get to their ultimate destination (#3, #5, #6, #7) !

Question

Why? What would motivate someone to hand craft links like these and post them on forums (I checked some of the referrers). I can't really see what anyone has to gain by doing this.

The only thing I can think of is that they're hosting malicious content at the ultimate destination and are trying to fool simple browser addons that validate a link's trustworthiness (eg. Avast has a Chrome addon that checks the rating of links in Google).

Does anyone have any ideas why? (And yes, we are about to implement a whitelist for domains that can use this redirect page).

Thanks.

10.01% popularity Vote Up Vote Down


Login to follow query

More posts by @Chiappetta492

1 Comments

Sorted by latest first Latest Oldest Best

 

@Megan663

Links like this are often used to bypass spam filters. They are obscuring the final spammy destination with a URL that appears to point to your site. The forum software likely has anti-spam measures that are fooled by this technique.

This is bad for your site because this will ultimately get your site added to the list of spammy sites. When you implement a redirect, it is best to whitelist the domains to which you can redirect. I typically allow redirects to my own domain name, and allow relative URLs.

10% popularity Vote Up Vote Down


Back to top | Use Dark Theme