[HN Gopher] Show HN: Host a Website in the URL
___________________________________________________________________
Show HN: Host a Website in the URL
I wrote this silly thing a couple of weeks ago. It's absolutely
useless but it's a fun tech demo for my web server library. Enjoy!
Author : acidx
Score : 67 points
Date : 2023-09-06 17:24 UTC (2 hours ago)
(HTM) web link (smolsite.zip)
(TXT) w3m dump (smolsite.zip)
| klntsky wrote:
| Base64 is far from being efficient for this use case
| pmarreck wrote:
| Base122 or whatever the other option is (and I'm sure there are
| others), which tries to take advantage of the whole UTF-8
| space, and probably wouldn't even work on URLs, is only
| something like 15% denser. Obviously, you're limited to
| printable characters, here.
| py4 wrote:
| Pretty cool!
| Ndymium wrote:
| Cool little project! I did a similar thing recently, I wrote a
| pastebin that puts the file contents in the URL with brotli. [0]
|
| It works quite well, but I'll need to update the syntax
| highlighting soon as at least Gleam is out of date (boy that
| language moves fast), and sometimes brotli-wasm throws a memory
| allocation error for some reason. I guess that's one cool thing
| that WASM brought to the table, memory handling issues.
|
| [0] https://nicd.gitlab.io/t/
| MoElmredi wrote:
| isn't there a size limit?
| grepfru_it wrote:
| Yes[0]. Assume 2000 bytes (I believe chrome or safari only
| supports 2k bytes). RFC states 8000 bytes. Firefox supports 65k
| bytes.
|
| [0] https://stackoverflow.com/questions/417142/what-is-the-
| maxim...
| MoElmredi wrote:
| Thank you!
| kristopolous wrote:
| Also known as HTTP Status Code 414
| giuliomagnifico wrote:
| This is very cool, thanks for sharing!
| lagniappe wrote:
| how does it react to a zip bomb?
| whoomp12342 wrote:
| 2000 bytes limit
| DriverDaily wrote:
| Plenty of room for a recursive function with no base case
| grepfru_it wrote:
| You're not getting very far on 2k bytes. A 10k file expands
| to 10MB and will likely timeout if the author's webhost
| configured proper limits
| acidx wrote:
| Files are not decompressed in the server: it sends the
| unmodified deflate stream back to the user.
| pmarreck wrote:
| "Compression bombs that use the zip format must cope with the
| fact that DEFLATE, the compression algorithm most commonly
| supported by zip parsers, cannot achieve a compression ratio
| greater than 1032. For this reason, zip bombs typically rely on
| recursive decompression, nesting zip files within zip files to
| get an extra factor of 1032 with each layer. But the trick only
| works on implementations that unzip recursively, and most do
| not."
|
| https://www.bamsoftware.com/hacks/zipbomb/
| [deleted]
| netcraft wrote:
| This reminds me of this project:
| http://ephemeralp2p.durazo.us/2bbbf21959178ef2f935e90fc60e5b...
|
| Myself and two other people have literally kept this page alive
| for many years - the github repo says 2017.
| [deleted]
| [deleted]
| gildas wrote:
| Alternatively, when formatted "properly", you can also simply
| host your zip file. See https://gildas-lormeau.github.io/ for
| example.
| stolenmerch wrote:
| See also: https://itty.bitty.site/
| [deleted]
| porsager wrote:
| Yeah, I had exactly that, but in my opinion better, with
| fullscreen mode on https://flems.io. Right up until hackers found
| it was a great place to host their phishing sites...
| mattbgates wrote:
| I created a website years ago that let anyone come and just
| "post" something online anonymously, quick notes or whatever,
| but have since had to add a registration process and record ip
| addresses, as the website was overrun by what looked like
| russian hackers and the dark web in general looking for a place
| for uh... post links to child... well anyways, took me almost a
| month to track down all my own website links, as everything was
| encrypted and growing faster than i could delete it. def sucks
| to know that even though i took down the means for a place for
| them to 'conduct business', they will continue to find other
| websites.
| acidx wrote:
| That's why we can't have nice things. :(
| ihaveajob wrote:
| This is hilarious, but I think it may have some practical
| applications. Watch out for hackers though.
| grepfru_it wrote:
| I immediately thought this is a great way to ship malicious
| payloads to an unexpected party. A good WAF would block it as
| sus, but a few tricks could probably get around that as well
| anamexis wrote:
| How is it different from _any_ webpage in that regard?
| misterbwong wrote:
| The difference is that the contents of this website can be
| crafted by the attacker directly via the URL without having
| to do anything to the host.
| anamexis wrote:
| How is that a meaningful attack vector, unique from
| webpages in general?
| Syntaf wrote:
| 1. Find existing smol being shared around
|
| 2. Modify the parameters to hijack any relevant content
|
| 3. Reshare the smol site with your changes under the
| guise it's the original link
| anamexis wrote:
| That's not novel. You could say the same thing for a
| GitHub Pages page, or a Code Sandbox, or an S3 static
| site, or really anything.
|
| The only reason that would be a threat is if you
| implicitly trusted smolsite.zip, which would be an odd
| thing to do.
| rswskg wrote:
| Literally designed around XSS
| Minor49er wrote:
| Not quite. Some resources don't automatically run
|
| https://smolsite.zip/UEsDBBQAAgAIAPtxJlepozjzcAAAAIgAAAAKAAA...
| mattbgates wrote:
| got me har har
| [deleted]
| mazokum wrote:
| Reminded me of a site from the creator of Advent of Code to share
| solutions of the puzzles (or any plaintext for that matter).
|
| https://topaz.github.io/paste/
| rtcode_io wrote:
| We host the full https://RTCode.io playground state in the hash,
| deploy it to https://RTEdge.net and serve the output at / and the
| playground at /?
|
| - <https://RTEdge.net/> output
|
| - <https://RTEdge.net/?> playground
|
| For more information: https://efn.kr
| pmarreck wrote:
| wow, this is some interesting web voodoo! What about auth?
___________________________________________________________________
(page generated 2023-09-06 20:00 UTC)