Passing Referer AS ColdFusion CFHttp CGI Value vs HEADER Value? : Kinky Solutions : A Student's Perspective by Ben Nadel

Recent Entries Complete Entry List August 2008 July 2008 June 2008 May 2008 April 2008 March 2008 February 2008 January 2008 December 2007 November 2007 October 2007 September 2007 August 2007 July 2007 June 2007 May 2007 April 2007 March 2007 February 2007 January 2007 December 2006 November 2006 October 2006 September 2006 August 2006 July 2006 June 2006 May 2006 April 2006 AJAX (14) Ask Ben (103) Books (14) ColdFusion (914) Exercise List (17) Flash (3) Health / Fitness (34) HTML / CSS (29) Javascript / DHTML (91) Life (68) Movies (23) Project HUGE (28) Relationships (7) Search Engine Optimization (14) Skin Spider (30) SQL (83) Work (105) XStandard WYSIWYG (21) RSS 2.0 Custom RSS 2.0

Posted August 9, 2007 at 9:23 AM

Tags: ColdFusion

The other day, someone posted a SPAM comment on my site that directed users to a site serving up free Playboy magazine centerfold downloads. I am so tired of people posting spam to my site that I figured I would actually try and turn the tables on this particular spammer. Sites like this operate on the fact that you have to actually view their pages and therefore, view their ads (which is how, I assume, they make their money). However, grabbing the merchandise without loading any ads defeats their entire reason for spamming in the first place.

And so it is that I set out to script the download of every Playboy magazine centerfold from 1954 to 2007 without ever loading a single page on the spammers site (naturally, I had to load a few pages to see how the site worked). Here's what I came up with:

 Launch code in new window » Download code as text file »

Unfortunately, this did not work at all. Running the code above, the server kept returning 403 Forbidden Access errors:

195401.jpg

» 403 Forbidden

195402.jpg

» 403 Forbidden

195403.jpg

» 403 Forbidden

Clearly, the server had something in place to prevent hotlinking. But, I was sending the Referer, which should have taken care of this.

After a good deal of time trying to tweak the values, I finally turned to one of the most badass tools out there - FireBug. I actually went to the target page and viewed the HTTP Request headers that were being sent across for the graphic request:

Nothing was popping out at me. But then, I realized I was looking at the HEADER values. Obviously. But, wasn't I sending the Referer value as a CGI value? I know that ColdFusion's CFHttpParam tag has a HEADER type, so I tried to change the type from Referer to HEADER:

 Launch code in new window » Download code as text file »

This time, things went off without a hitch:

95401.jpg

» 200 OK

195402.jpg

» 200 OK

195403.jpg

» 200 OK

Works great - downloads all the Playboy centerfolds since the beginning of time, but this got me thinking: if both the CGI:Referer and the HEADER:Referer end up in the CGI scope (at least in ColdFusion), what's the difference between sending these two values. Why did one work and one not work?

The answer turns out to be Encoding. By default, the ColdFusion CFHttpParam tag Encodes all FormField and CGI value types using a URL-encoding. HEADER values, on the other hand, are not encoded in any automatic way. Therefore, if you tried to send this value:

http://www.oxpe.net/playboy/playboy.html

... as a CFHttpParam CGI value, it would show up in the CGI object as:

http%3A%2F%2Fwww%2Eoxpe%2Enet%2Fplayboy%2Fplayboy%2Ehtml

This has been encoded for URL usage. If, however you turned off encoding (Encoded = "false"), ** OR ** sent it as a CFHttpParam HEADER value, it would show up in the CGI object as:

http://www.oxpe.net/playboy/playboy.html

This is good stuff to know. I should really do a much more in-depth exploration of all the different CFHttpParam types to see how they can really be leveraged properly. I am still not 100% clear on the difference between all the HEADER and CGI values; it looks like HEADER values might be a more natural way to mimic this sort of clint-server interaction. I will do some further testing.

On a related note, it's really funny to see the contrast in what Playboy presented in 1954 compared to what they put in the magazine in today. 1954 was very safe. Pubic hair didn't really make much of any show until the early 1970s... and now, in the 2000s, pubic hair is gone again (but this time, of course, for very different reasons).

Download Code Snippet ZIP File

Comments (19)  |  Post Comment  |  Ask Ben  |  Permalink  |  Other Searches  |  Print Page

• Add To Del.icio.us
• Add To Digg
• Add to Spurl.net
• Add to Wists
• Add to Simpy
• Add to Newsvine
• Add to BlinkList
• Add to Furl
• Add to reddit
• Add to FARK
• Add to BlogMarks
• Add to Yahoo! My Web
• Add to smarking
• Add to Ma.gnolia
• Add to Segnalo

Reader Comments

Ben Nadel, ladies and gentlemen... always ready to tackle the topics that others want to know but are afraid to talk about.... like how to safely strip porn from spammer websites in the name of learning!

I love it! Now to download the code so I can investigate it further... for learning purposes, of course! ;)

Posted by Max on Aug 9, 2007 at 10:01 AM

@Max,

It's all about the learning :) I learned something very valuable here about using ColdFusion's CFHttp and CFHttpParam tags. Totally justified :)

Posted by Ben Nadel on Aug 9, 2007 at 10:11 AM

Yep... and I've always felt it learning was easier when passionate about the subject matter.

That subject being CF, y'know.... ummmm yeah, ColdFusion.

Posted by Max on Aug 9, 2007 at 10:17 AM

ColdFusion is dead sexy.

Posted by Ben Nadel on Aug 9, 2007 at 10:32 AM

He he, good job! I love the above banner too :-)

Posted by Boyan on Aug 9, 2007 at 4:18 PM

Ben for president!!!!!!!!!!!!!

Posted by Donnie Bachan on Aug 9, 2007 at 5:39 PM

I'm just doing my part in the war against spammers :)

Posted by Ben Nadel on Aug 9, 2007 at 5:42 PM

Just to let you know, I think this is great Ben! A little cf, some classic porn, eating a spammers bandwidth, I love.

I have 4 servers running it right now, just to hurt them! :-)

Posted by cfPorn Fan on Aug 9, 2007 at 10:07 PM

Ha ha ha ha. That reminds me of the movie Hackers where they had people all over the world attacking this one computer system. That was a sweet movie .... back when Angelina Jolie was actually acttractive to me :(

Posted by Ben Nadel on Aug 10, 2007 at 8:16 AM

Ben Nadel, you are a wicked, wicked man. And that is why we value you so highly in the CF community. :-)

Posted by Trent on Aug 10, 2007 at 8:09 PM

@Trent,

I'm just one dude trying to make a difference.

Posted by Ben Nadel on Aug 10, 2007 at 8:55 PM

Header values are the meta data that goes into the HTTP request (and return with the response). The receiving webserver turns header values into CGI variables, and CGI variables are available during request processing. I think of it like: HEADER > Webserver > CGI > ColdFusion

Posted by Steven Erat on Aug 28, 2007 at 11:48 AM

@Steven,

Thank you for the insight. To me (Based on your explanation), I feel like the "spoofing" should happen as high up in the chain as possible. From that, I would think I should choose Header over CGI in CFHttpParam whenever possible. How does that sound?

Posted by Ben Nadel on Aug 28, 2007 at 12:16 PM

This doesn't work anymore... at least not with Playboy.

The images appear to download OK, but if you open up the images, they are all corrupted files.

I guess they pulled one over your eyes? ;-)

Anthony

Posted by Anthony on Feb 1, 2008 at 5:19 PM

I try to do this with the CGI.REMOTE_ADDR but it doesn't work.

If I do this:
<cfhttp
method="post"
url="http://mytestdomain.com/iptest.cfm"
result="result">
<cfhttpparam
type="CGI"
name="remote_addr"
value="92.63.154.23"
encoded="false">
</cfhttp>

<cfoutput>#result.FileContent#</cfoutput>

and iptest.cfm contains this:

Hello from <cfoutput>#CGI.SCRIPT_NAME#</cfoutput>!<br />
Your remote_addr is <cfoutput>#CGI.remote_addr#</cfoutput>

it still outputs

Hello from /iptest.cfm!
Your remote_addr is 127.0.0.1

instead of what I expected:

Hello from /iptest.cfm!
Your remote_addr is 92.63.154.23

same with http_user_agent. I cannot overwrite this value with cfhttpparam.
Am I missing something?
Marc

Posted by Marc on Apr 8, 2008 at 5:57 AM

Try using TYPE="HEADER" instead of TYPE="CGI".

Posted by Donnie Bachan on Apr 8, 2008 at 6:15 AM

@Marc,

From what I have been told, a lot goes into calculating someone's IP address. You can't just fake it with a header or CGI value. I ran into this when I was messing with http://www.moanmyip.com . I kept trying to get her to moan numbers at my command, but alas, I could not come up with any way to fake it.

Posted by Ben Nadel on Apr 8, 2008 at 7:26 AM

The difference between type="CGI" and type="HEADER" is that the former gets urlencoded by default, the latter not. If I add encoded="false" to type="CGI" the two are identical.

To get an overview of CGI variables that you can modify and CGI variables that are not modifyable do this:

in test1.cfm:
<cfhttp method="get" url="http:mydomain.com/iptest.cfm" result="result">
<cfloop collection="#CGI#" item="CGIKey">
<cfhttpparam type="CGI" name="#CGIKey#" value="[#CGI['#CGIKey#']#] IS_MODIFYABLE" encoded="false">
</cfloop>
</cfhttp>

<cfoutput>#result.FileContent#</cfoutput>

In iptest.cfm:
<cfdump var="#CGI#">

You get a dump of the CGI scope. There are many CGI variables you can modify but remote_addr is not one of them. Actually 10 out of 44 are not modifyable on my server - Apache 2.059. Not quite clear why some values can be overwritten and others not.

Posted by Marc on Apr 8, 2008 at 7:38 AM

Hey! I used to work for her! She was a hotty well into her sixties too! She had a big set of knockers .. too bad she was a boozer. Still ... a luscious GILF after all these years!

Posted by Some Guy on Apr 15, 2008 at 3:53 PM

Post Comment  |  Ask Ben