No referrer header on leacher's site !!

c0nw0nk nginx-forum at forum.nginx.org
Thu Apr 6 12:03:19 UTC 2017 

Dmitry S. Polyakov Wrote:
-------------------------------------------------------
> On Thu, Apr 6, 2017, 10:50 shahzaib mushtaq <shahzaib.cb at gmail.com>
> wrote:
> 
> > >>With the controls sites have over the referrer header, it's not
> very
> > effective as an access control mechanism. You can use something like
> > http://nginx.org/en/docs/http/ngx_http_secure_link_module.html
> > instead.
> >
> > We're also using Nginx secure link module based on HASH + expiry but
> > somehow this secure link is exploited by that website. The video
> link hash
> > on his website is exactly matching with ours means no matter if hash
> get
> > expire & new takes it place that leacher is also getting the new
> hash &
> > we're unable to find how he exploited us. Though on digging more
> into this
> > we found that he's using following script to fetch video links from
> our
> > website :
> >
> >
> >
> https://github.com/XvBMC/repository.xvbmc/blob/master/plugin.video.sal
> tsrd.lite/scrapers/dizibox_scraper.py
> >
> > His website name is also dizibox1.
> >
> IT happens because your secure  links hash doesn't have any end user
> unique
> attributes like ip address
> If you'll include enduser ip to the secure link hash, secure link
> become
> unique for the end user. Any direct video link grabbed and shared by
> the
> enduser or some script become useless.


You would think that but with Kodi/XBMC that is not the case their App grabs
and sends a HTML request on a per user basis.

So each and every request comes from a users Kodi box or app on their phone
etc what when the page generates the HTML response to that user it also
generated the response for their IP address.

It is like real web traffic.

I prevented them as I explained here
https://forum.nginx.org/read.php?2,273405,273447#msg-273447

Also if you browse and view pornhub, pornsocket, youtube what ever streaming
sites etc you will see they now hide and obfuscate their stream links in
JavaScript to break these kodi box users as I explained in the link above.

Here is proof :
<script type="text/javascript">
	/*This entire area would be their broken up url link obfuscated to be put
back together again by JavaScript making it unreadable for these kodi/xbmc
users */ = quality_720p;
	
	loadScriptUniqueId.push('111418492');
	loadScriptVar.push(flashvars_111418492);

	playerObjList.playerDiv_111418492 = {
		'flashvars'	: {"embedId":111418492},
		'embedSWF'	:
{"url":"https:\/\/bi.phncdn.com\/www-static\/flash\/","element":"playerDiv_111418492","width":"100%","height":"100%","version":"9.0.0"}	};
</script>
	<div id="playerDiv_111418492" class="playerFlvContainer" data-enlarge="1"
data-showautoplayoption="1" data-share="1">
		<noscript>
			<video style="width:100%; height:100%;" controls="controls"
autobuffer="autobuffer" class="player-html5" preload="metadata">
				<source src="" type="video/mp4">
			</video>
		</noscript>

Posted at Nginx Forum: https://forum.nginx.org/read.php?2,273405,273449#msg-273449

More information about the nginx mailing list