I saw this on the Aberystwyth Comp Sci facebook group: http://lcamtuf.coredump.cx/squirrel/. It’s a little example of embedding image data within a HTML pae, in a similar (but less pleasant) way to using data URIs for embedding images stored as base64 strings (see below). It’s a very hacky way to give direct-link (rather than inlin/hotlinked) users a page rather than the image alone.
I was intrigued so took a quick look at the source and replicated it.
I don’t see much practical use, it’s ugly and I wouldn’t rely on it, but it’s straightforward to replicate and as the page states, all the magic is done client side.
Should work with most images (only tried with jpeg), the first few bytes (APP0 segment) go before the tag, that way it’s recognised as an image (we need to make the body hidden so that doesn’t show, then the page itself goes in the next few bytes – so we’re hoping the browser ignores these. Lastly we put the image data in an unclosed html comment. I suspect with a longer page we’d see the image becoming corrupt.
It even preserves exif.
So what’s the use? Well, you can use the same URL for the img src tags as you do for a landing page. But at the end of the day, you’re serving a corrupt page that shouldn’t work and can’t be relied upon.
It’s interesting, but the correct way to deal with hot linking, or image landing pages is to use mod_rewrite (in Apache). But at the end of the day, file extensions exist for a reason and you shouldn’t really be serving up binary data in such a messy manner anyway. There’s simply no point in forcefully redirecting users away from data like this; those that want it, will get it.
Here is an example of an image that can be copied and pasted directly as HTML. Many browsers recognise data URIs in which we can store data 9such as images as base64:
<img src="data:image/jpg;base64,XXXXXXXXXXXXXX" />
Where “XXXXXXXXXXXXXX” is the base64 string.
Base64 is a binary-to-text encoding mechanism that allows binary data to be transmitted as ASCII (a mere 127 printable characters) strings, when you see “MIME” referenced in relation to email, it’s about getting attachments added, and that’s how it works. Very roughly, encoding data as base64 (using fewer bits) increases size by a third.