you're reading...
Hacking / Counter Intelligence, Predictive Analytics, Source Code, Tips

Tracking Website Visitors Pt1: Masking Image Requests

Email marketers commonly use small images embedded in email messages as tracking mechanisms. These email tracking images enable marketers to track approximately how many people viewed a particular email campaign. The same technology has implications in security.

Now and then I am asked to consult on Bond skips. Bounty hunters will ask me to help them narrow down a particular city/state when their skip has ties with multiple states.

I also use a similiar set of files for tracking impressions on Craigslist for my ad management customers. When posting to Craigslist, the number of views vs time that an ad is live is a strong indicator as to whether or not you are being targeted by auto flaggers.

I consider the heart and soul of this source its ability to quietly rewrite a url so an end user never sees a scripted page involved.

RewriteRule ^([A-z0-9]{6}).jpg$ /tracker/return_image.php?id=$1 [L]

The above code goes in your .htaccess file and checks to see if you are requesting an image on the root of the domain with a 6 character alphanumeric. As there typically shouldn’t be images at this location, its a good general place for me to point this example code at. Below is an example of a modified .htaccess for a wordpress blog.


# BEGIN WordPress
<IfModule mod_rewrite.c>
RewriteEngine On
RewriteBase /
RewriteRule ^([A-z0-9]{6}).png$ /tracker/return_image.php?id=$1 [L]
RewriteRule ^index\.php$ - [L]
RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d
RewriteRule . /index.php [L]
# END WordPress
  1. Tracking Website Visitors Pt1: Masking Image Requests
  2. Tracking Website Visitors Pt2: Returning Image From Database
  3. Tracking Website Visitors Pt3: Returning Tracking Information
  4. Tracking Website Visitors Pt4: Uploading Image to MySql
  5. Tracking Website Visitors Pt5: Installation Script

About Pythorian

Exploration and Production oriented security consultant for securing IT infrastructures relating to natural resources.


No comments yet.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

%d bloggers like this: