No referrer header on leacher's site !!

Dmitry S. Polyakov amnesia.victim at gmail.com
Thu Apr 6 11:50:18 UTC 2017 

On Thu, Apr 6, 2017, 10:50 shahzaib mushtaq <shahzaib.cb at gmail.com> wrote:

> >>With the controls sites have over the referrer header, it's not very
> effective as an access control mechanism. You can use something like
> http://nginx.org/en/docs/http/ngx_http_secure_link_module.html
> instead.
>
> We're also using Nginx secure link module based on HASH + expiry but
> somehow this secure link is exploited by that website. The video link hash
> on his website is exactly matching with ours means no matter if hash get
> expire & new takes it place that leacher is also getting the new hash &
> we're unable to find how he exploited us. Though on digging more into this
> we found that he's using following script to fetch video links from our
> website :
>
>
> https://github.com/XvBMC/repository.xvbmc/blob/master/plugin.video.saltsrd.lite/scrapers/dizibox_scraper.py
>
> His website name is also dizibox1.
>
IT happens because your secure  links hash doesn't have any end user unique
attributes like ip address
If you'll include enduser ip to the secure link hash, secure link become
unique for the end user. Any direct video link grabbed and shared by the
enduser or some script become useless.


>
> On Wed, Apr 5, 2017 at 1:54 AM, Francis Daly <francis at daoine.org> wrote:
>
> On Tue, Apr 04, 2017 at 04:39:23PM +0500, shahzaib mushtaq wrote:
>
> Hi there,
>
> > Thanks for quick response. Well its reverse, he's putting our HTTPS video
> > link on his HTTP website. Could that create issue as well? If yes, what's
> > the fix of it.
>
> nginx does not know (or care) what the linking site does. All it can
> see is the request made to it.
>
> The browser entirely controls what request headers the browser sends.
>
> If you want to deny all requests that have no Referer header, you can
> do that.
>
> If you want to deny only some requests that have no Referer header,
> you will need to tell nginx which requests to deny and which requests to
> allow. But before you can do that, you will have to know how to identify
> the requests in one of the sets.
>
>         f
> --
> Francis Daly        francis at daoine.org
> _______________________________________________
> nginx mailing list
> nginx at nginx.org
> http://mailman.nginx.org/mailman/listinfo/nginx
>
>
> _______________________________________________
> nginx mailing list
> nginx at nginx.org
> http://mailman.nginx.org/mailman/listinfo/nginx
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mailman.nginx.org/pipermail/nginx/attachments/20170406/9778f949/attachment.html>

More information about the nginx mailing list