Anyone know what causes these kinds of URLs in Google Analytics? They look like the kind of URL that is generated when you're connecting to a Wifi hotspot. But they're all coming from Indonesia.
![画像](data:image/svg+xml,<svg xmlns="http://www.w3.org/2000/svg" width="680" height="409"><rect fill-opacity="0"/></svg>)
ツイート
会話
![](data:image/svg+xml,<svg xmlns="http://www.w3.org/2000/svg" width="48" height="48"><rect fill-opacity="0"/></svg>)
返信先: さん
Looks like someone proxing your http urls (and probably injecting stuff) that’s why you should switch to https
1
Thanks Valentin. The site is on https already and these URLs lead to 404s.
1
1
返信を表示
返信先: さん
Only a guess - but could be a bot PC testing your site for vulnerabilities - perhaps theres one on some CMS that gives privileged access when coming from a 'log me in' style page?
1
1
I did wonder that, given the single location, it does feel more like vulnerability testing. Actually - was this kinda thing similar to the redirect vulnerability you told me about?
1
返信を表示
返信先: さん
prob from one of the free wifi hotspots there - all the cafes have them where you have to register on insta/fb (spam nightmare) and then they push you to weird URLs
返信先: さん
The reason for someone to do this though, is to anonymously check whether your CMS redirects to the URL in the `dst` variable. There will be a CMS that does. If it's you, the spammer/hacker can use your URL to send out links to spam or malicious software, making them look clean.
1
返信先: さん
The URLs that are tagged on are innocent enough - they're used by Firefox, Android, IE etc to detect if you need to sign-in to a guest/WiFi network you're on. They request a URL that gives a 204 HTTP Status Code (if it doesn't, the browser knows that there's a sign-in wall)
返信先: さん
In summary, the attacker gets an anonymous URL to test "Open Redirects" with, that's reliable (high uptime) and fast (204 responses have no body content).
404/200 HTTP Status = CMS not vulnerable
301/302 -> 204 HTTP Status = CMS vulnerable, add to a list to abuse
1
2
Makes total sense - thanks Rob :) Assume we could just block the IP - (given it's only coming from a single place?
1
![](data:image/svg+xml,<svg xmlns="http://www.w3.org/2000/svg" width="680" height="357"><rect fill-opacity="0"/></svg>)
返信先: さん
I'd avoid letting GA etc to just blindly read from the URL bar. Construct your pageviews if/when you can.
1
1
Jono how do you go about it - vlookup in GTM or set it as a dataLayer variable where possible?
1
返信を表示
![](data:image/svg+xml,<svg xmlns="http://www.w3.org/2000/svg" width="120" height="88"><rect fill-opacity="0"/></svg>)
![](data:image/svg+xml,<svg xmlns="http://www.w3.org/2000/svg" width="24" height="24"><rect fill-opacity="0"/></svg>)
![](data:image/svg+xml,<svg xmlns="http://www.w3.org/2000/svg" width="85" height="120"><rect fill-opacity="0"/></svg>)
![](data:image/svg+xml,<svg xmlns="http://www.w3.org/2000/svg" width="240" height="125"><rect fill-opacity="0"/></svg>)