Making a simple anti-theft chain with Express

Recently, a project arranged by a supervisor added a set of front-end templates to a system. This is not difficult in itself. Because the algorithm can not provide data, I copied the online picture links randomly, and found that some pictures can not be displayed normally. Later, I knew that some pictures were added with "anti-theft chain", which immediately reminded me of the referer attribute in the http request header I met before, This header records which website some resource requests of this website come from. If you use the judgment of this referer, you can implement filtering.

Code:

var express = require('express');
var app = express();
var fs = require('fs');
// Set template path, default is. / views
// app.set('views', path.join('views'));
app.engine('html', require('ejs').renderFile);
app.set('view engine', 'html');

app.get('/public/*',
    function (req, res, next) {
        var referer = req.headers.referer;
        console.log(referer);
        if (referer && referer.indexOf('localhost1') <= 0) {
            try {
                fs.readFile("./views/no.png", function (err, data) {
                    console.log("no");
                    res.writeHead(200, {"Content-type": "image/jpg"});
                    console.log(err);
                    // console.log(data);
                    res.end(data);
                });
            } catch (err) {
                console.log(err);
            }
        } else {
            try {
                fs.readFile("./views/a.jpg", function (err, data) {
                    console.log("normal");
                    res.writeHead(200, {"Content-type": "image/jpg"});
                    // console.log(data);
                    res.end(data);
                });
            } catch (err) {
                console.log(err);
            }
        }
    });
app.get('/', function (req, res) {
    res.render('index', {helloWorld: 'hello,world'});
});

app.listen(3000, function () {
    console.log('app listen at 3000');
});

A referer is a property that only a resource request in a website can bring. If you directly access the address of a picture, you don't bring a referer. So

When judging here, we should first judge the existence of the referer, and then judge whether it is a request sent from a certain domain, because when we visit the address directly, we want to see the result of the picture, only when some websites refer to our picture links, we block it.

It can also be in the form of middleware:

var express = require('express');
var app = express();
var fs = require('fs');
// Set template path, default is. / views
// app.set('views', path.join('views'));
app.engine('html', require('ejs').renderFile);
app.set('view engine', 'html');

function sss (req, res, next) {
    var referer = req.headers.referer;
    console.log(referer);
    // console.log(referer.indexOf('localhost3'));
    if (referer && referer.indexOf('localhost1') >= 0) {
        next();
    } else {
        // console.log(res);
        console.log(1);
        // res.state(500).send('stolen chain picture from: < a href = "xxxxx" > < / a > ');
        res.send('Steal chain picture from:<a href="xxxxx"></a>');
        return false;
    }
}

app.get('/public/*',
    sss,
    function (req,res,next) {
    console.log(234234);
        try {
            fs.readFile("./views/a.jpg", function (err, data) {
                res.writeHead(200, {"Content-type": "image/jpg"});
                console.log(err);
                // console.log(data);
                res.end(data);
            });
        }catch (err) {
            console.log(err);
        }
});
app.get('/', function(req, res) {
    console.log(10);
    res.render('index', { helloWorld: 'hello,world' });
});

app.listen(3000, function() {
    console.log('app listen at 3000');
});

Of course, it's very easy to crack the anti-theft chain of this writing method, just forge the message header with the intermediate server.

Tags: supervisor Attribute

Posted on Sat, 04 Apr 2020 08:16:59 -0700 by mmtalon