What are the "hidden" redirect pages some websites use when clicking on links?

security http website
8,073

Solution 1

Redirects are used for various reasons.

One reason is that it increases privacy. When you follow a link, your browser send a referer - the site you are coming from. This means the owner of the website you are going to exactly knows from where you came. A redirect page in between obscures this. Say the page you are viewing is SO. SO doesn't use a redirect for links. This means whenever an external site is linked from SO and you follow that link, the owner of the external site exactly knows from which SO answer (or question) you came to his site. If there was a redirect in place, the third party would only get to know that you came from somewhere on SO, but no longer from where exactly. If an SE redirect was used, he might only get to know that you came from somewhere inside the whole SE network.

Another reason can be security. Some sites use GET parameter to store session IDs (this was much more popular in the past, where users not using cookies was a much greater concern). Leaking the session ID to a third party is dangerous because it allows the account to be (temporarily) overtaken. A redirect solves this by not leaking the session ID through it.

But there are other reasons. A website owner might want to track which links a user clicks. This is ordinarily not possible. A redirect can easily be used to count which link is clicked how often.

You can also display information pages in between. This can be done for various reasons - to notify the user he leaves your site (and the curated content), or to display additional ads when the user is leaving anyways.

The reasons are manifold, and none of them are outright bad.

There are several techniques which can be used to obscure this on first sight from the user.

<a href="redirect.php?url=example.org">example.org</a>

Note that in this example, you only see example.org as link, but it actually goes to redirect.php?url=example.org. In this case, you are able to see this on mouse over in the corner of your browser.

You can, however, also use JS to obscure it:

<a href="#" onclick="javascript:window.location='redirect.php?url=example.org'">example.org</a>

Here, the link relies on JavaScript being enabled in your browser and uses that to bring you to the (obscured) location. This can not be seen by mouse over, but by inspecting the page source.

There are even better ways to obscure this with JS that get more and more difficult to find out.

This can be used to deceive users. Thats one of the reasons URL-shorteners have become unwanted on a lot of platforms - because they use the same redirecting technique, the users doesn't see where he ends up, and because you don't know what kind of information the URL shortening service tracks from your users.

Solution 2

These links are being manipulated using other technologies and aren't simple HTML. The technology used on the site could vary widely, PHP, Javascript, etc. The owner/operator of the site has made the effort to make the links appear to be normal links but their functionality is radically different because of the underlying scripts. Unfortunately, even with simple HTML, there's no guarantee that the text you see is actually where the link will take you.

Many forums provide this redirect as an alert to their users that they may have clicked something dangerous, and out of the control of the forum's operators. A malicious user could post a link to a virus on a very legitimate site's forums. The link could appear to be legitimate but this sort of warning can be helpful and tell the user of the forum where they'll actually end up and often offer them a chance to abort their attempt to follow the link.

Other sites will use this sort of redirect as an opportunity to generate one last bit of ad revenue as they realize they're losing their audience.

All in all this technology isn't inherently evil or bad, it really depends on the owner of the site and their application/goals.

It's not really a security flaw, it could be seen as deceptive or interruptive to normal browsing expectations though. Unfortunately, as a user you have little recourse, if you know a site uses them you can refuse to click on external links that will generate these redirect pages. You could also opt for manually entering the URL yourself.

Solution 3

I think you are mixing several things together.

  1. What you see as a link on a website is just text. It has not necessarily anything to do with where the link goes. Example: a link can read "see this on youtube" but link to "hacker.ru"
  2. What you see when you hover your mouse over is the real URL that would be executed. When you click, this is what your browser sends.
  3. that URL, however, can be a simple HTML page, or an HTML page that is auto-forwarded to any other HTML page, or it can be processed by a server and make a lot of things happen, like starting a download, or going to yet another URL.
  4. Each page that gets loaded this way can repeat either redirection, until you (hopefully) finally get something displayed.

Each server in the chain gets basic data about you; this depends on what your browser allows them to see. Typically this includes you OS type and version, your browser type and version, and maybe your user ID, your approximate location, your advertisement identifier, and some other stuff. Most browsers nowadays allow you to limit that, down to only browser and OS version.

I have never heard of that 'hxxp' idea, and I doubt that it is real, or if so, that it makes any difference. I think this is a fairy tale, but maybe someone else can enlighten us there.

Solution 4

hxxp:// links are attempt to prevent a URL from being recognized as a link. Since that's not a real protocol, automated link followers like search engines won't recognize such links as links. That could help with privacy concerns (if someone doesn't want a search engine to know they're linking to a certain thing from a certain place). More importantly, it forces the user to manually copy/paste and adjust the URL in the address bar. When the user navigates in this way, the browser won't supply the Referer, which would otherwise specify where the user clicked the link from, so the target site won't know how the visitor found the destination page. Also, such links stop the user from accidentally clicking to something malicious.

Redirect pages also have the property of obscuring the Referer. They could also allow the redirect's owner to more easily collect statistics on where people are coming from and going to.

If a link's target doesn't show its real destination when you hover over it, the navigation is actually being performed by JavaScript, not the href attribute on the <a> element. Consider this HTML document, for instance:

<html><head><title>Sketchy Site</title></head><body>
<a href="#" onclick="window.location.href = 'http://superuser.com';">Totally Legit Link</a>
</body></html>

When you hover over that link, your browser will show the current path plus a # in the bottom right, but when you click it, you'll be taken to the Super User homepage. Surprise!

Share:
8,073

Related videos on Youtube

Celeritas
Author by

Celeritas

Updated on September 18, 2022

Comments

  • Celeritas
    Celeritas over 1 year

    I'm not sure how to phrase this questions. A long time ago I read on a forum about a rule which stated that users had to replace http with hxxp in links to prevent the server (or someone) from spying on them. I noticed that some websites have an unnoticeable "redirect" page that a user is taken through after clicking on a link to take them to a different website. What is this about?

    I was just using Slack.com and noticed there was a link to https://pr.to/example/ When I clicked on the link I was taken to an intermediate page (https://slack-redirect/link?url=https://pr.to/example/&v=3 or something like that) and then taken to the final page. What is this?

    I also noticed that my browser usually did not show the URL of the intermediate page when I hovered over the link (but it sometimes did). I'm using the latest version of Firefox. Isn't this sort of a security flaw being taken to a different page than the URL says?

  • Celeritas
    Celeritas almost 8 years
    You misunderstand the whole question and think it's much simpler than it is.
  • Celeritas
    Celeritas almost 8 years
    What I don't get is for slack.com is the redirect page was invisible. I know some may serve the purpose to say "you are leaving are site and we are not responsible for any damage" but some do not.
  • Michael Hampton
    Michael Hampton almost 8 years
    @Celeritas Slack does it to hide the referring page from the website you're about to visit. Because of this, the destination site cannot see what Slack team and channel you came from.
  • Celeritas
    Celeritas almost 8 years
    I tried to make a more constructive comment but seems you misunderstand a great deal. For example what do you even mean HTML page, a web page that doesn't contain JavaScript? -1
  • Celeritas
    Celeritas almost 8 years
    @MichaelHampton that's what I'm trying to ask about, how does referring work? So an HTTP request includes a header that specifies the site you currently are on? And to hide this (as it may be sensitive information) some sites redirect through an intermediate page?
  • Ro-ee
    Ro-ee almost 8 years
    @Celeritas: Yes, the other side receives a HTTP request where "Referer: xyz..." is specified, thus giving you the page where the user clicked on the link. This is mitigated with all the in-between-pages. Also, these in-between pages are the only way for a web site to tell which external links on a page have been clicked, as they wouldn’t have access to the external page’s web server logs.
  • Hagen von Eitzen
    Hagen von Eitzen almost 8 years
    @Celeritas Note that it is the browser who adds the Referer:header. Hence in principle it is th euser who could take measuers to hide where we came from (and a paranoid web server won't trust what the Referer:header claims). The two step redirect you ask about just ensures that even an out-of-the-box browser won't leak the "true" referrer page.
  • Celeritas
    Celeritas almost 8 years
    If a user manually types a URL in the address bar does it still have a Referer?
  • Xiong Chiamiov
    Xiong Chiamiov almost 8 years
    Almost every page you view in a browser will use HTML, but what GP actually said was "simple HTML page", which I'd take to mean a static page that doesn't automatically forward you on somewhere else.
  • Xiong Chiamiov
    Xiong Chiamiov almost 8 years
    Re: hxxp, it's a way for users who don't have permission to post links (usually because the site operators are trying to cut down on spam) to still provide a url to readers; the expectation is that other users will copy the link and change hxxp to http to make it valid.

Recents

Why Is PNG file with Drop Shadow in Flutter Web App Grainy?
How to troubleshoot crashes detected by Google Play Store for Flutter app
Cupertino DateTime picker interfering with scroll behaviour
Why does awk -F work for most letters, but not for the letter "t"?
Flutter change focus color and icon color but not works
How to print and connect to printer using flutter desktop via usb?
Critical issues have been reported with the following SDK versions: com.google.android.gms:play-services-safetynet:17.0.0
Flutter Dart - get localized country name from country code
navigatorState is null when using pushNamed Navigation onGenerateRoutes of GetMaterialPage
Android Sdk manager not found- Flutter doctor error
Flutter Laravel Push Notification without using any third party like(firebase,onesignal..etc)
How to change the color of ElevatedButton when entering text in TextField

Related

Can Tomcat 7 be configured to insert "Content-Security-Policy" HTTP header?
window.opener.document.getElementById("parentId1").value = myvalue not working
Why do I get browser warnings on my new lets encrypt ssl setup?
What is the HTTP header :host, :method, :path, :scheme, :version used for?
Configure Http Headers in JBoss EAP 7
Resolving "HttpAdaptor JMXInvokerServlet is accessible to unauthenticated remote users" vulnerability
Download ALL files from Website with directory listing
Python SimpleHTTPServer: Cannot connect from any machine on the LAN
How to change Firefox's referer header for all http requests
Should I run my small website in port 80, 8080, or 81?