Canonical Link Attack

Details

Vector type:
Link Attack
Risk level:
Moderate
Impact level:
Low to Moderate

A canonical link attack relies on creating large numbers of links at a target web page, but to modify the URI by changing case and appending spurious parameters. The core concept here is to waste your victim’s server resources, as well as Google’s crawl budget. As an added bonus, the Canonical Link Attack also creates a localized version of a “Canonical Confusion Attack,” on the website you’re targeting.

Defense

The best defense against this is to implement Canonicalization, PROPERLY. Ideally, your site should have a “hard canonical” setup (301/308 redirects) for certain variants (Protocol, Subdomains, TLDs,) and for non-acceptable parameters/values

#FunFact: Hardly anyone does this.

You should also have proper canonical tags in place, since this will handle parameter and value variants before they can become a problem.

The most common solution is to deploy thorough robots.txt directives.
These will prevent (good) crawlers (such as Search Engine bots) from requesting such URLs.
(The problem is – you don’t know what variants people will try!)


Leave a Reply

Your email address will not be published. Required fields are marked *