1

There is a website that shows an image but you cant download it. It uses background techniques and forces javascript to avoid save as and when you find the file image url in the code you cant directly access it. I would like to know how to reproduce this and how can I get the file. I looked in cache but cant find it. In resources in chrome dev tools i can see the image full size but cant save it without printscreen.

It must have something to do with htaccess i think but not sure.

Edit: The block should be similar to this one I'll try setup a little test like this: (htaccess) How to prevent a file from DIRECT URL ACCESS?

If the jpeg is shown in http://localhost/test/ but http://localhost/test/sample.jpg throws an error how can I get the file through cURL?

Community
  • 1
  • 1
2Noob2Good
  • 159
  • 1
  • 12
  • What's the url? Because of the wide range of possibilities, it's hard to answer without seeing the issue. – Jesse Mar 04 '14 at 01:47
  • 2
    If an image is displayed in a browser there will always be a way to get it, it's already downloaded onto the users machine at some point. Instead you should try to protect your images another way through a watermark or something. – Nick Barrett Mar 04 '14 at 01:50

1 Answers1

1

A good place to start would be trying to curl or wget the url (you can find the URL in chrome dev tools).

Posting the result here if it's unsuccessful will also help.

If it is in fact being denied at the request level (which is what Apache would be doing if it was done with an .htaccess file), there are likely headers or cookies that allow it to be requested by the app.

If the image isn't drawn on the page using javascript, you can also just simply turn off javascript, which would allow you to right-click and save the image normally, if the app is preventing access on the client.

Check out the headers & cookies sent when requesting the image, and either use those in curl or an app like GraphicalHTTPClient.

Edit: here's an image of the chrome dev tools, with the headers for an image showing. You'll find this in the "Network" panel in dev tools. Note that the tools must be open when the image loads.

Headers & Cookies in Dev Tools

One side note: .htaccess files are used by apache, which is just a server, and doesn't necessarily have anything to do with php. It's pretty unlikely that the app is denying from their php code (if the app is even written in php), as serving images via php is very uncommon.

Jesse
  • 10,370
  • 10
  • 62
  • 81
  • Please check my edit. Can you help me out in how exactly I checkout headers & cookies and how can I use them in curl to get the image? – 2Noob2Good Mar 04 '14 at 02:13
  • Just added an image. In the example you gave, you'd want to add a referer (yes, it's intentionally misspelled) header that is the site you're targeting. For your example, you'd do this: `curl -o sample.jpg -H "Referer: http://localhost/test" http://localhost/test/sample.jpg` – Jesse Mar 04 '14 at 02:23
  • Got it but I still get the same error when setting curl. I'm doing it with PHP with an options array with CURLOPT_REFERER => $ref. What should I do? In chrome I have something "copy as curl" but how can I use curl without PHP? – 2Noob2Good Mar 04 '14 at 04:56
  • I went to google dev tools and copied the request as cURL. Then pasted in the cmd of windows and the request is denied. I think that cURL isn't the tool to do this because I think that cURL always requires a direct request. For some reason I need to "be" at a certain URL and request the jpg from there. I have no idea how I can do this with cURL or any other tool. Fiddler allows me to get the image but not with a "direct" request to the file – 2Noob2Good Mar 04 '14 at 20:10
  • Like I said, there's a ton of ways that the server may be obscuring the image, but the bottom line is that the server can only see the info sent with the request - so while you can do things similar to CSRF protection to prevent access, there's always a way around. That said, without looking at your specific case, I'm not sure I can help much more by just guessing. – Jesse Mar 04 '14 at 20:19
  • Also, if you've really managed to find someone going to so much trouble to protect their images in a way that it's not pretty obvious how to download them, they are probably not going to be happy about you downloading them - keep this in mind. This is certainly an interesting problem, but just in case you're actually asking for advice on how to do something illegal: don't ask here on SO :) – Jesse Mar 04 '14 at 20:23