Msg#: 4191120 posted 8:37 pm on Aug 23, 2010 (gmt 0)
This is one of those jaw-dropping ideas for me. You can compress js and css to png, and take advantage of the image compression algo. I wish the article compared the approach to gzip compression, but it's still very cool.
The build process for the application works like this: all JS and CSS files are merged and minified using YUICompressor, then the minified JS and CSS are concatenated into one string, separated by a unique delimiter. This long string is then encoded into a PNG image.
Msg#: 4191120 posted 9:23 pm on Aug 23, 2010 (gmt 0)
Really nice find tedster!
PNG uses the deflate algorithm which is one of the oldest compression algorithms supported in gzip. With the wider choice of algorithms in modern gzip implementations the latter will probably perform better in most situations. But the idea of hiding your scripts inside image files: passing payload through firewalls, spam filters, virus filters and all kinds of other road blocks without any problem. Or sending compressed content via proxy servers which normally don't allow compressed content. The uses are unlimited.
Msg#: 4191120 posted 3:18 pm on Aug 24, 2010 (gmt 0)
Not exactly the same thing, but there are also various schemes for hiding textual data in JPEGs because JPEGs have all sorts of places to store text.
And you can compress a file as RAR and add it to a jpeg and the image will still display normally. Only the file size will suggest the jpeg has something fishy, but since some people save jpegs at 90 quality, they can be unusually large.
So you could easily roll a malicious executable into a jpeg and deliver it to the client browser. The tough part would be getting it extracted from the JPEG and executed client side. But I could put virtually anything on your computer that way.
Msg#: 4191120 posted 10:02 am on Sep 25, 2010 (gmt 0)
So you could easily roll a malicious executable into a jpeg and deliver it to the client browser.
you can do that anyways now with encoding something as part of the html (for example base64 anything). The browser will use its cache by default and store the content. It then depends on browser security and addons.
There are also the super cookies using flash that can store large sets of data, they don't expire, can't be deleted by the browser by default and track many things you do.