Is it possible to reveal URLs in a masked, server-side 301 redirect?

Question

I work for a search monitoring company and I'm currently investigating some advertisements which are hiding malicious URLs in masked, server-side redirects. When users click these ads, they're redirected through a domain located on a server with some malicious code on it, but that domain is being masked by URL forwarding services, like Porkbun, so all we see is the mask domain, but not the one behind the scenes. I'm wondering, is there is any possible way at all to obtain that hidden, server-side URL? Or is there a way to get any additional information about the hidden URL?

Answer 1

Edit: the original answer did not solve the OP problem. This is my second attempt. See the original answer below

OP comment

I'm using Chrome Inspect menu to view the full redirect path. Chrome does show the location response headers, but it only shows the mask URL in the request URL header section.

On the practical side of things

At this point I would consider contacting https://porkbun.com and explaining your situation. Give them the evidence you have collected so far (the parts that you are allowed to share). If they are a legitimate business they hate it when criminals abuse their service. There is a chance they would be willing to cooperate.

On the technical side of things

It is very difficult to troubleshoot with this little information.

• If you are pointing a real browser at the malicious URL it is possible that the malware successfully infects it and feeds you misinformation

• Here is another possibility:

  1. The malicious advert contains a link to https://porkbun.com/<path here>
  2. https://porkbun.com/<path here> is a 301 redirect to https://<evil>.com/<more evil>
  3. https://<evil>.com/<more evil> is not an HTTP redirect but rather an HTML page that
     1. Performs an attack
     2. Uses any number of HTML or JS tricks to navigate the browser to https://porkbun.com/<another path here>
        • It is possible that Chrome Inspect resets the network history when a navigation happens. That is what Firefox dev tools do by default.

• Maybe porkbun url forwarding does serve different responses based on IP, geolocation, user agent string, cookies or any number of other factors

  • Maybe the attacker uses an API to automatically change the destination of a link after it is clicked once or after a period of time
  • One possible way to find their full feature set would be to sign up with them. If they have a feature you'll find it in their management UI

• Are you sure this is the url forwarding service? porkbun also offers hosting. Maybe there is an attacker-controlled server hosted on porkbun giving you different responses

The original answer

https://porkbun.com/products/url_forwarding does not advertise any advanced features such as trying to distinguish a browser from any other user agent. It probably sends the same response to everyone. In that case the url can be found in the Location response header.

all I see is link --> mask domain --> landing page.

It sounds like your HTTP client automatically follows redirects and gives you the last response in the redirect chain.

How HTTP redirects work:

1. A client requests https://example.com/foo

   GET /foo HTTP/1.1
   Host: example.com
   

2. example.com responds with a redirect

   HTTP/1.1 301 Moved Permanently
   Location: https://en.wikipedia.org/wiki/HTTP_301
   

3. The client requests https://en.wikipedia.org/wiki/HTTP_301 which may redirect again or respond with a non-redirect status code

Consult the documentation of your HTTP client to see how it can be configured to give you the list of all urls in the redirect chain. If your HTTP client does not have such a capability use a different HTTP client. For example python requests library allows all responses in the redirect chain to be inspected via Response.history