Are external images at risk? (1)

External links are always allowed in forums and mailboxes. On the one hand, it solves the resource consumption caused by upload and storage, and more importantly, it is convenient for users to reprint images. However, is there any hidden risk behind the simplicity? Most people may think that it is not just inserting an external image, it is not a script or plug-in, it can have much security risks.

There were also major risks such as the leakage of cookies in external links, but it was a long time ago. In today's ever-changing age of browsers, such bugs are hard to come across. However, using normal game rules, we can still play some security tricks.

No.1 -- HTTP401

Severity: Low)

You have seen that a login box will pop up when you open the vro.

 

If you understand the HTTP protocol, the server returns 401 and requires user name and password authentication.

However, what if a 401 error is returned for an image request? It's easy to test with the URL of the router:

A dialog box still exists!

If I insert an HTTP401 image into the Forum, will that happen? We use ASP to write a simple script and can customize the prompt text:

<% Response. Status = "401" Response. AddHeader "WWW-Authenticate", "Basic realm = ip ic iqcard, all tell me the password! "%> Insert the URL to the forum or space. If the url image ending with asp is rejected, add ?. Png ).

First test in the QQ space:

As expected, a dialog box is displayed. However, in browsers outside of ie, Chinese characters are garbled, even if ASP and HTTP encoding are set.

We had to replace it with English characters, and then use a variety of browsers to test it in Baidu post bar:

Ie678:

Ie9:

Firefox:

Safari:

Except for Opera and Chrome, other browsers appear. However, some browsers have truncated characters After spaces.

Of course, you can also extend this function to record what the user has entered. However, it is estimated that no idiot will enter an account here, so this is not very practical.

Because it is forced to pop up, it is often surprising, so in the Forum, post bar or space, it can be entertaining.