Comments on: How do I legitimately hijack website content?

Question: How do I legitimately hijack website content?

jedicus — Wed, 15 Aug 2007 17:25:07 -0800

HTML/Javascript: I need to "hijack" website content so that it appears to be hosted by a different domain (with the full knowledge and cooperation of all parties).

My boss maintains a website at, let's say, boss.example.com. He has an affiliation with another organization with a nicer domain name, let's say, fancyexample.com

He would like to allow users of fancyexample.com to go to fancyexample.com/boss and see all of his boss.example.com content as though it were hosted on fancyexample.com. So if a user went to fancyexample.com/boss/homepage.html they would see that in the address bar but the content would be pulled from boss.example.com/homepage.html

Ultimately, I want to write a small shell page to place on fancyexample.com that "hijacks" the boss.example.com content in as seamless a way as possible. I believe that this can be done very simple using javascript and a frame but I don't have much web programming experience.

Again, don't worry, my boss, boss.example.com, and fancyexample.com all know about this and approve completely.

By: tmcw

tmcw — Wed, 15 Aug 2007 17:44:39 -0800

If you have DNS control, why not just make boss.fancyexample.com and point that to boss.example.com? That would involve less trickery and less browser risk.

By: Dub

Dub — Wed, 15 Aug 2007 18:00:22 -0800

Something like this?
(Replace braces with less-than / greater-than)

{!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Frameset//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-frameset.dtd"}

{html}
{head}
{title}Title{/title}
{meta name="keywords" content="keywords, metalinks" /}
{meta name="description" content="Description...." /}
{/head}
{frameset rows="100%"}
{frame src="http://www.boss.example.com/" title="Boss Example" frameborder="0" noresize="noresize"/}
{noframes}
{body}
{p}{a href="http://www.boss.example.com"}http://www.fancyexample.com/{/a}{/p}
{/body}
{/noframes}
{/frameset}
{/html}

By: scottreynen

scottreynen — Wed, 15 Aug 2007 18:59:42 -0800

This is what mod_proxy is for. You could also write a proxy pretty easily in most scripting languages. Using mod_rewrite and PHP, for example, it's two one-line files, something like this:

.htaccess:
----
RewriteRule ^(.*)$ /proxy.php?path=$1
----

proxy.php:
----
<? readfile( 'http://boss.example.com' . $_GET['path'] ); ?>
----

By: Steven C. Den Beste

Steven C. Den Beste — Wed, 15 Aug 2007 22:59:11 -0800

I think you might be able to do this with "server side includes". (Can't you use a full HTTP path with the "direct" parameter?)

By: jozxyqk

jozxyqk — Thu, 16 Aug 2007 04:47:56 -0800

Is there any reason you couldn't just mirror the whole boss.example.com site on the fancyexample.com server, and do it locally without any tricks?

By: kamelhoecker

kamelhoecker — Thu, 16 Aug 2007 06:03:34 -0800

What Dub suggested was trendy for a while. People would do it with their own sites so that the URL would be the same no matter what page you were on. (I guess people didn't want to show users "confusing urls" or allow them to bookmark anything except the front page.) So it's not a transparent, seamless solution.

The SSI solution would work, but be a bit slow, since it would pull the content in real-time to the one webserver before sending it out to the browser. Might work fine though.

If it's static content, you could do an rsync every hour or so (setup the 2 machines to connect via ssh without a password.) but even if you rsync every minute, the content will always be a bit stale.

the proxy is the most robust solution.

By: goingonit

goingonit — Thu, 16 Aug 2007 12:59:29 -0800

If you're doing this, you have to be really, really careful about security. If you use the proxy solution, a malicious hacker couldn't craft a URL that appears to be from your Website, but actually goes to theirs -- allowing them (perhaps) to steal personal information by impersonating you. Additionally, you have to be very careful that you're not really running an open proxy. In general, the rule of thumb is never trust user input. If you're hacking off part of your URL and using it to construct a new one, this counts as user input now and you should make very, very sure that if it's something you don't expect, you deal with it safely.

Cross-site scripting attacks are very hard to deal with. Most major companies get it wrong, and end up vulnerable. Please exercise caution.