Is it possible to reveal URLs in a masked, server-side 301 redirect?

301-redirect forwarding url-routing

Solution 1:

Edit: the original answer did not solve the OP problem. This is my second attempt. See the original answer below

OP comment

I'm using Chrome Inspect menu to view the full redirect path. Chrome does show the location response headers, but it only shows the mask URL in the request URL header section.

On the practical side of things

At this point I would consider contacting https://porkbun.com and explaining your situation. Give them the evidence you have collected so far (the parts that you are allowed to share). If they are a legitimate business they hate it when criminals abuse their service. There is a chance they would be willing to cooperate.

On the technical side of things

It is very difficult to troubleshoot with this little information.

  • If you are pointing a real browser at the malicious URL it is possible that the malware successfully infects it and feeds you misinformation

  • Here is another possibility:

    1. The malicious advert contains a link to https://porkbun.com/<path here>
    2. https://porkbun.com/<path here> is a 301 redirect to https://<evil>.com/<more evil>
    3. https://<evil>.com/<more evil> is not an HTTP redirect but rather an HTML page that
      1. Performs an attack
      2. Uses any number of HTML or JS tricks to navigate the browser to https://porkbun.com/<another path here>
        • It is possible that Chrome Inspect resets the network history when a navigation happens. That is what Firefox dev tools do by default.

  • Maybe porkbun url forwarding does serve different responses based on IP, geolocation, user agent string, cookies or any number of other factors

    • Maybe the attacker uses an API to automatically change the destination of a link after it is clicked once or after a period of time
    • One possible way to find their full feature set would be to sign up with them. If they have a feature you'll find it in their management UI

  • Are you sure this is the url forwarding service? porkbun also offers hosting. Maybe there is an attacker-controlled server hosted on porkbun giving you different responses

The original answer

https://porkbun.com/products/url_forwarding does not advertise any advanced features such as trying to distinguish a browser from any other user agent. It probably sends the same response to everyone. In that case the url can be found in the Location response header.

all I see is link --> mask domain --> landing page.

It sounds like your HTTP client automatically follows redirects and gives you the last response in the redirect chain.

How HTTP redirects work:

  1. A client requests https://example.com/foo 
    GET /foo HTTP/1.1
Host: example.com
  2. example.com responds with a redirect 
    HTTP/1.1 301 Moved Permanently
Location: https://en.wikipedia.org/wiki/HTTP_301
  3. The client requests https://en.wikipedia.org/wiki/HTTP_301 which may redirect again or respond with a non-redirect status code

Consult the documentation of your HTTP client to see how it can be configured to give you the list of all urls in the redirect chain. If your HTTP client does not have such a capability use a different HTTP client. For example python requests library allows all responses in the redirect chain to be inspected via Response.history

Related

nfs: enabling file locking (flock)
How to mitigate peacecorps.gov DOS attack on bind9 DNS Server?
Show what task ansible was currently working on when I press Control-C?
Ways to make a backup on RAID5 filesystem (mdadm) with many files
Valid DKIM but "body hash did not verify" error on Outlook / Hotmail / Live?
A (cron) job to run if file has changed
Remote Desktop Authentication without NTLM - How to Configure from non-Windows clients?
Docker image prune -a command not reclaiming any space
Postfix is not rejecting recipients addresses when mailx is used
How to know the full path of a file using SSH?
NGINX - parse request body to get the correct file
How to manage Xen virtual machines on shared SAN storage?