Implementing Basic Link Hijacking

September 22nd, 2021

A couple of days ago I did my first live-stream!!!! I went through implementing link hijacking in my bulk email service that I am working on.

Replacing The URLs

It is pretty simple. Basically what I did was create a very simple regular expression that grabbed all the links in the email body.

$output = $this->content;

// this is to find urls in markdown links
$reg = "/\[[a-zA-Z0-9\-\_\.\s]+]\(([a-z0-9:\/\.\-\_]+)\)/"; 

preg_match_all($reg, $output, $matches);

Then I saved the urls in a links table:

$links = collect($matches[1])->map(function ($url) use ($lead) {
  return Link::create([
    'campaign_id' => $this->id,
    'lead_id' => $lead->id,
    'target' => $url,

After that I replaced all instances of the URL with a custom URL generated by the link IDs:

foreach ($links as $link) {
  $output = str_replace($link->target, $link->getCustomUrl(), $output);

Handle Link Clicks

When a recipient clicks the link we take them to the custom URL (in this case http://tracky.dev/links/{link_id}) that redirects them the intended URL after incrementing a clicks column on the Link:

public function update(Link $link)
  $link->update(['clicks' => $link->clicks+1]);

  return redirect($link->target);

And that is it.

To Conclude

It was my first live stream so the video will not be public. But this is a basic overview of how I added the feature I wanted.

If you have any questions about this article you can hit me up on Twitter @sampodlogar

© 2023 Mission-4 LLC