Open redirect: JustPaste.it

Detects inbound messages containing JustPaste.it redirect links that forward to external destinations outside of JustPaste.it. This technique abuses JustPaste.it's redirect functionality to obscure the true destination URL, bypassing link reputation checks. The rule excludes legitimate senders from JustPaste.it itself.

Sublime rule (View on GitHub)

 1name: "Open redirect: JustPaste.it"
 2description: "Detects inbound messages containing JustPaste.it redirect links that forward to external destinations outside of JustPaste.it. This technique abuses JustPaste.it's redirect functionality to obscure the true destination URL, bypassing link reputation checks. The rule excludes legitimate senders from JustPaste.it itself."
 3type: "rule"
 4severity: "medium"
 5source: |
 6  type.inbound
 7  and any(body.links,
 8          .href_url.domain.domain == "justpaste.it"
 9          and strings.istarts_with(.href_url.path, '/redirect/')
10          // wrapped destination is not back to justpaste.it
11          and not strings.icontains(.href_url.path, 'justpaste.it')
12  )
13  and not sender.email.domain.root_domain == "justpaste.it"     
14attack_types:
15  - "Credential Phishing"
16  - "Malware/Ransomware"
17tactics_and_techniques:
18  - "Open redirect"
19  - "Free file host"
20  - "Evasion"
21detection_methods:
22  - "URL analysis"
23  - "Sender analysis"
24id: "faff6efd-c644-58f1-b856-fd707cf8c9b9"
to-top