Are external images at risk? (1)

Source: Internet
Author: User

External links are always allowed in forums and mailboxes. On the one hand, it solves the resource consumption caused by upload and storage, and more importantly, it is convenient for users to reprint images. However, is there any hidden risk behind the simplicity? Most people may think that it is not just inserting an external image, it is not a script or plug-in, it can have much security risks.

There were also major risks such as the leakage of cookies in external links, but it was a long time ago. In today's ever-changing age of browsers, such bugs are hard to come across. However, using normal game rules, we can still play some security tricks.

No.1 -- HTTP401

Severity: Low)

You have seen that a login box will pop up when you open the vro.

 

If you understand the HTTP protocol, the server returns 401 and requires user name and password authentication.

However, what if a 401 error is returned for an image request? It's easy to test with the URL of the router:

A dialog box still exists!

If I insert an HTTP401 image into the Forum, will that happen? We use ASP to write a simple script and can customize the prompt text:

<% Response. Status = "401" Response. AddHeader "WWW-Authenticate", "Basic realm = ip ic iqcard, all tell me the password! "%> Insert the URL to the forum or space. If the url image ending with asp is rejected, add ?. Png ).

First test in the QQ space:

As expected, a dialog box is displayed. However, in browsers outside of ie, Chinese characters are garbled, even if ASP and HTTP encoding are set.

We had to replace it with English characters, and then use a variety of browsers to test it in Baidu post bar:

Ie678:

Ie9:

Firefox:

Safari:

Except for Opera and Chrome, other browsers appear. However, some browsers have truncated characters After spaces.

Of course, you can also extend this function to record what the user has entered. However, it is estimated that no idiot will enter an account here, so this is not very practical.

Because it is forced to pop up, it is often surprising, so in the Forum, post bar or space, it can be entertaining.


Related Article

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.