[lug] Web crawler advice

Nate Duehr nate at natetech.com
Tue May 6 17:54:31 MDT 2008

karl horlen wrote:

> But how does one attach a js to an image if you don't control the page 
> that loads the image?  Since someone is deep linking the image from a 
> page you don't own, if you don't own or control the page you can't 
> insert js.

He's definitely saying the attacker owns the page the "fake" image tag 
is on, loaded with JavaScript instead of an image file.

How hard is it to set up a web page on a server, put up something 
"interesting" enough to the general public to get a few thousand page 
views a day, and then embed evil things in it?  Not very.

Now move that webserver off-shore where it's harder to get the attention 
of the authorities and/or the ISP... but keep your ".com" domain name on 
the foreign IP address...

You get the idea.  Evil incarnate.  And more common than people think, 
sadly.  Indiscriminate web browsing and bad browser behavior is right up 
there with some of the worst real "threats" to modern computing as it 

Common techniques today are starting to become things like "contained" 
environments or "sandboxes" where the browser is only used/loaded inside 
a virtualized OS that can be wiped and reloaded, keeping (hopefully) the 
host OS safe from harm.


More information about the LUG mailing list