[HN Gopher] Show HN: Host a Website in the URL ___________________________________________________________________ Show HN: Host a Website in the URL I wrote this silly thing a couple of weeks ago. It's absolutely useless but it's a fun tech demo for my web server library. Enjoy! Author : acidx Score : 67 points Date : 2023-09-06 17:24 UTC (2 hours ago) (HTM) web link (smolsite.zip) (TXT) w3m dump (smolsite.zip) | klntsky wrote: | Base64 is far from being efficient for this use case | pmarreck wrote: | Base122 or whatever the other option is (and I'm sure there are | others), which tries to take advantage of the whole UTF-8 | space, and probably wouldn't even work on URLs, is only | something like 15% denser. Obviously, you're limited to | printable characters, here. | py4 wrote: | Pretty cool! | Ndymium wrote: | Cool little project! I did a similar thing recently, I wrote a | pastebin that puts the file contents in the URL with brotli. [0] | | It works quite well, but I'll need to update the syntax | highlighting soon as at least Gleam is out of date (boy that | language moves fast), and sometimes brotli-wasm throws a memory | allocation error for some reason. I guess that's one cool thing | that WASM brought to the table, memory handling issues. | | [0] https://nicd.gitlab.io/t/ | MoElmredi wrote: | isn't there a size limit? | grepfru_it wrote: | Yes[0]. Assume 2000 bytes (I believe chrome or safari only | supports 2k bytes). RFC states 8000 bytes. Firefox supports 65k | bytes. | | [0] https://stackoverflow.com/questions/417142/what-is-the- | maxim... | MoElmredi wrote: | Thank you! | kristopolous wrote: | Also known as HTTP Status Code 414 | giuliomagnifico wrote: | This is very cool, thanks for sharing! | lagniappe wrote: | how does it react to a zip bomb? | whoomp12342 wrote: | 2000 bytes limit | DriverDaily wrote: | Plenty of room for a recursive function with no base case | grepfru_it wrote: | You're not getting very far on 2k bytes. A 10k file expands | to 10MB and will likely timeout if the author's webhost | configured proper limits | acidx wrote: | Files are not decompressed in the server: it sends the | unmodified deflate stream back to the user. | pmarreck wrote: | "Compression bombs that use the zip format must cope with the | fact that DEFLATE, the compression algorithm most commonly | supported by zip parsers, cannot achieve a compression ratio | greater than 1032. For this reason, zip bombs typically rely on | recursive decompression, nesting zip files within zip files to | get an extra factor of 1032 with each layer. But the trick only | works on implementations that unzip recursively, and most do | not." | | https://www.bamsoftware.com/hacks/zipbomb/ | [deleted] | netcraft wrote: | This reminds me of this project: | http://ephemeralp2p.durazo.us/2bbbf21959178ef2f935e90fc60e5b... | | Myself and two other people have literally kept this page alive | for many years - the github repo says 2017. | [deleted] | [deleted] | gildas wrote: | Alternatively, when formatted "properly", you can also simply | host your zip file. See https://gildas-lormeau.github.io/ for | example. | stolenmerch wrote: | See also: https://itty.bitty.site/ | [deleted] | porsager wrote: | Yeah, I had exactly that, but in my opinion better, with | fullscreen mode on https://flems.io. Right up until hackers found | it was a great place to host their phishing sites... | mattbgates wrote: | I created a website years ago that let anyone come and just | "post" something online anonymously, quick notes or whatever, | but have since had to add a registration process and record ip | addresses, as the website was overrun by what looked like | russian hackers and the dark web in general looking for a place | for uh... post links to child... well anyways, took me almost a | month to track down all my own website links, as everything was | encrypted and growing faster than i could delete it. def sucks | to know that even though i took down the means for a place for | them to 'conduct business', they will continue to find other | websites. | acidx wrote: | That's why we can't have nice things. :( | ihaveajob wrote: | This is hilarious, but I think it may have some practical | applications. Watch out for hackers though. | grepfru_it wrote: | I immediately thought this is a great way to ship malicious | payloads to an unexpected party. A good WAF would block it as | sus, but a few tricks could probably get around that as well | anamexis wrote: | How is it different from _any_ webpage in that regard? | misterbwong wrote: | The difference is that the contents of this website can be | crafted by the attacker directly via the URL without having | to do anything to the host. | anamexis wrote: | How is that a meaningful attack vector, unique from | webpages in general? | Syntaf wrote: | 1. Find existing smol being shared around | | 2. Modify the parameters to hijack any relevant content | | 3. Reshare the smol site with your changes under the | guise it's the original link | anamexis wrote: | That's not novel. You could say the same thing for a | GitHub Pages page, or a Code Sandbox, or an S3 static | site, or really anything. | | The only reason that would be a threat is if you | implicitly trusted smolsite.zip, which would be an odd | thing to do. | rswskg wrote: | Literally designed around XSS | Minor49er wrote: | Not quite. Some resources don't automatically run | | https://smolsite.zip/UEsDBBQAAgAIAPtxJlepozjzcAAAAIgAAAAKAAA... | mattbgates wrote: | got me har har | [deleted] | mazokum wrote: | Reminded me of a site from the creator of Advent of Code to share | solutions of the puzzles (or any plaintext for that matter). | | https://topaz.github.io/paste/ | rtcode_io wrote: | We host the full https://RTCode.io playground state in the hash, | deploy it to https://RTEdge.net and serve the output at / and the | playground at /? | | - <https://RTEdge.net/> output | | - <https://RTEdge.net/?> playground | | For more information: https://efn.kr | pmarreck wrote: | wow, this is some interesting web voodoo! What about auth? ___________________________________________________________________ (page generated 2023-09-06 20:00 UTC)