Join 3,438 readers in helping fund MetaFilter (Hide)


How do I legitimately hijack website content?
August 15, 2007 5:25 PM   Subscribe

HTML/Javascript: I need to "hijack" website content so that it appears to be hosted by a different domain (with the full knowledge and cooperation of all parties).

My boss maintains a website at, let's say, boss.example.com. He has an affiliation with another organization with a nicer domain name, let's say, fancyexample.com

He would like to allow users of fancyexample.com to go to fancyexample.com/boss and see all of his boss.example.com content as though it were hosted on fancyexample.com. So if a user went to fancyexample.com/boss/homepage.html they would see that in the address bar but the content would be pulled from boss.example.com/homepage.html

Ultimately, I want to write a small shell page to place on fancyexample.com that "hijacks" the boss.example.com content in as seamless a way as possible. I believe that this can be done very simple using javascript and a frame but I don't have much web programming experience.

Again, don't worry, my boss, boss.example.com, and fancyexample.com all know about this and approve completely.
posted by jedicus to Technology (7 answers total) 2 users marked this as a favorite
 
If you have DNS control, why not just make boss.fancyexample.com and point that to boss.example.com? That would involve less trickery and less browser risk.
posted by tmcw at 5:44 PM on August 15, 2007


Something like this?
(Replace braces with less-than / greater-than)

{!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Frameset//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-frameset.dtd"}

{html}
{head}
{title}Title{/title}
{meta name="keywords" content="keywords, metalinks" /}
{meta name="description" content="Description...." /}
{/head}
{frameset rows="100%"}
{frame src="http://www.boss.example.com/" title="Boss Example" frameborder="0" noresize="noresize"/}
{noframes}
{body}
{p}{a href="http://www.boss.example.com"}http://www.fancyexample.com/{/a}{/p}
{/body}
{/noframes}
{/frameset}
{/html}

posted by Dub at 6:00 PM on August 15, 2007


This is what mod_proxy is for. You could also write a proxy pretty easily in most scripting languages. Using mod_rewrite and PHP, for example, it's two one-line files, something like this:

.htaccess:
----
RewriteRule ^(.*)$ /proxy.php?path=$1
----

proxy.php:
----
<? readfile( 'http://boss.example.com' . $_GET['path'] ); ?>
----
posted by scottreynen at 6:59 PM on August 15, 2007 [1 favorite]


I think you might be able to do this with "server side includes". (Can't you use a full HTTP path with the "direct" parameter?)
posted by Steven C. Den Beste at 10:59 PM on August 15, 2007


Is there any reason you couldn't just mirror the whole boss.example.com site on the fancyexample.com server, and do it locally without any tricks?
posted by jozxyqk at 4:47 AM on August 16, 2007


What Dub suggested was trendy for a while. People would do it with their own sites so that the URL would be the same no matter what page you were on. (I guess people didn't want to show users "confusing urls" or allow them to bookmark anything except the front page.) So it's not a transparent, seamless solution.

The SSI solution would work, but be a bit slow, since it would pull the content in real-time to the one webserver before sending it out to the browser. Might work fine though.

If it's static content, you could do an rsync every hour or so (setup the 2 machines to connect via ssh without a password.) but even if you rsync every minute, the content will always be a bit stale.

the proxy is the most robust solution.
posted by kamelhoecker at 6:03 AM on August 16, 2007


If you're doing this, you have to be really, really careful about security. If you use the proxy solution, a malicious hacker couldn't craft a URL that appears to be from your Website, but actually goes to theirs -- allowing them (perhaps) to steal personal information by impersonating you. Additionally, you have to be very careful that you're not really running an open proxy. In general, the rule of thumb is never trust user input. If you're hacking off part of your URL and using it to construct a new one, this counts as user input now and you should make very, very sure that if it's something you don't expect, you deal with it safely.

Cross-site scripting attacks are very hard to deal with. Most major companies get it wrong, and end up vulnerable. Please exercise caution.
posted by goingonit at 12:59 PM on August 16, 2007


« Older Have I got the right budget fo...   |  I am creating and publishing-b... Newer »
This thread is closed to new comments.