Are external images at risk?

External links are always allowed in forums and mailboxes. On the one hand, it solves the resource consumption caused by upload and storage, and more importantly, it is convenient for users to reprint images.

However, is there any hidden risk behind the simplicity? Most people may think that it is not just inserting an external image, it is not a script or plug-in, it can have much security risks.

There were also major risks such as the leakage of cookies in external links, but it was a long time ago. In today's ever-changing age of browsers, such bugs are hard to come across. However, using normal game rules, we can still play some security tricks.

No.1 -- HTTP401

　　(Severity: Low)

You have seen that a login box will pop up when you open the vro.

　　

　　

If you understand the HTTP protocol, the server returns 401 and requires user name and password authentication.

However, what if a 401 error is returned for an image request? It's easy to test with the URL of the router:

A dialog box still exists!

If I insert an HTTP401 image into the Forum, will that happen? We use ASP to write a simple script and can customize the prompt text:

<% Response. Status = "401" Response. AddHeader "WWW-Authenticate", "Basic realm = ip ic iqcard, all tell me the password! "%> Then insert the URL to the forum or space (if the url image ending with. asp is rejected, add ?. Png ).

First test in the QQ space:

　　

 

As expected, a dialog box is displayed. However, in browsers outside of ie, Chinese characters are garbled, even if ASP and HTTP encoding are set.

We had to replace it with English characters, and then use a variety of browsers to test it in Baidu post bar:

Ie678:

Ie9:

　　　　

Firefox:

　　　　

Safari:

　　　　

　　
Except for Opera and Chrome, other browsers appear. However, some browsers have truncated characters After spaces.

Of course, you can also extend this function to record what the user has entered. However, it is estimated that no idiot will enter an account here, so this is not very practical.

Because it is forced to pop up, it is often surprising, so in the Forum, post bar or space, it can be entertaining.

　　

No. 2 ---- GZip compression bomb

　　(Severe procedure: Medium)

In a previous article, we talked about using deflate compression to compress hundreds of megabytes of image files to several hundred bytes.

The principle is very simple, and a large amount of repeated data has a high compression rate. The maximum compression ratio of the deflate algorithm is unknown, and it is hard to determine whether the deflate algorithm is optimal. Later, I got a rough idea about the algorithm. Due to the limit on the maximum matching length of lz77, the maximum compression ratio of deflate is indeed only. Although far from rar, 1000 times also means that 1 m data can be converted to 1g.

Therefore, we can use a super high compression HTTP packet to do a few things:
1. memory consumption
2. CPU consumption
3. cache consumption

For the current hardware configuration, the memory is enough to support the browser, and the CPU of multiple cores cannot be used up completely, but the hard disk is a bottleneck.

We use the C program to create a 1 GB memory array, place the image data at the beginning, and fill it with '\ 0. Use zlibto compress and save the result to the right-left corner of 1 MB as x.jpg.gz.

Then read the compressed file with ASP and add the header to the returned file.Content-EncodingField.

In a simple test:

View CodeDim streamSet stream = Server. createObject ("ADODB. stream ") With stream. type = 1. open. loadFromFile _ Server. mapPath (Request. queryString ("File ")&". gz ") End With Dim agentagent = Request. servervariables ("HTTP_USER_AGENT") With Response If Instr (agent, "Firefox")> 0 Or Instr (agent, "AppleWebKit")> 0 Then. addHeader "Content-Encoding", "deflate" Else. addHeader "Content-Encoding", "gzip" End If. AddHeader "Content-Length", stream. Size. BinaryWrite stream. ReadEnd With because some browsers only support deflate Content-Encoding. Therefore, we made a special judgment to avoid invalidation. Test with ie. Open GZip. ASP? File1_x.jpg (test address: http://www.etherdream.com/Test/bomb.html), normal display of the picture, followed by the hard drive lights flash... Close the webpage and open the browser cache folder. Sure enough, 1 GB cache has been generated
!

　　

　　

Then we use Firefox for testing. But without waiting for the picture to come out, the browser is stuck. After waiting for several minutes, the task has to be finished.

　　

　　

Use Chrome for testing. The memory usage soared, and the final image is displayed normally, but the page crashes frequently.

　　

　　

Opera is normal and does not produce a particularly large cache file. Of course, browsers of different versions are quite different and can be tested by yourself.

However, only a few of the most common browsers can work.

We can insert images into emails or forum textures. If it is unfortunately killed by Firefox users, it will be killed on the spot; webkit kernel browsers will seriously slow down the system speed; internet Explorer users are the most vulnerable and are swallowed up by 1 GB of hard disk space. If multiple hard disk space is inserted, it will be more than twice as long as the url parameters are different! If the url with random parameters is directed with HTTP redirection, the page will be loaded and cached every time you access the page!

　　

No. 3 ---- expose the IP address when receiving the email

　　(Severe procedure: High)

In fact, this trick is not technical, nor is it a BUG, and it cannot even be regarded as a defect. It's just a little trick.

Since images on the web page can be external links, it means that you can access any server, including our own. You can easily obtain the visitor's ip address by logging on the server.

This is of little significance to the Forum. It is difficult to know which ip address is owned by many visitors in the Forum. HoweverEmailIt is different. Few others will use your mailbox.

When we send an email to someone, there is an inconspicuous image in it, and the external link is sent to our cgi program. When he opens the mail, the cgi program receives his request and naturally detects the ip address. To prevent the image from being split, a tiny image is returned to prevent any vulnerability.

For emails with push prompts such as QQ mail, the recipient will soon open the mail, especially write a more authentic mail title.

With this, we can write a script for sending mass emails to multiple QQ users. We add a unique parameter to the url of the image corresponding to each email to distinguish different mailboxes.

After half past one, when the recipient opens emails one after another, their ip addresses are also exposed. That is, you can use the proxy to access the Internet through HTTPHTTP_X_FORWARDED_FORField to obtain the real IP address.

Using ip location, you will soon be able to know where they are recently. If they have the same ip address, maybe they are in an intranet :)

 

Preventive Measures

Because images are stored externally, they are completely out of their controllable range. That is to say, an outdoor link is a valid image, and it can only mean the current, rather than the future, because the user can update the content of the external link, or even return different content for different ip addresses. Therefore, you must analyze the image content on the client, and the background can play a secondary role at most.

In the current version of Baidu Post Bar, the security of external links is greatly enhanced because the images are displayed on the homepage of the Post Bar. When you insert an image using an external link, the background server checks the validity of the image from time to time. If an exception exists, the background server deletes the image. If multiple exceptions occur on the same site, the site is blacklisted. Although there are still some omissions, it is much better than not. Images of Space albums or trusted sites are not scanned and detected repeatedly.

Similarly, external links are completely unavailable for applications that are widely disseminated, such as Weibo. Even if necessary, it is also read by the proxy server and then returned to the user. Therefore, security risks are fundamentally eliminated.