Have you ever wondered why some web pages include a 1×1 GIF image? Well, they’re called web bugs, and they track you.
The beacon images (better known as web bugs) are basically just hidden scripts behind images. They can easily be spotted because they usually don’t end with a common image format, like gif, jpeg or png.
An example of web beacon could be this:
<img src="beacon.php" width="1" height="1" alt="">
As you can see, the src attribute contains a PHP script. It’s easy to find (and block) web bugs when you see that an image is served as PHP.
By the way, more generally speaking, if you see that a file ends with .jpg (it’s an image, you think) or just doesn’t have an extension (I’m inside a folder, you think)… well, you could be wrong. I can easily execute a script when an user requests a simple image ending with .jpg, and I’ll explain you how.
In order to create a hidden web bug, you need to enable the Apache’s URL rewriting module (mod_rewrite). Create a new .htaccess file and put the following code in it:
RewriteEngine On
RewriteRule ^(.*).(png|jpg|gif)$ script.php
Now create the script.php file and write some random code:
<?php
$fullpath = $_SERVER['REQUEST_URI'];
$filename = basename($fullpath);
$ip = $_SERVER['REMOTE_ADDR'];
$useragent = $_SERVER['HTTP_USER_AGENT'];
echo "Path: $fullpath;<br>
File: $filename;<br>
IP address: $ip;<br>
User agent: $useragent";
And now try to navigate through an image, let’s say cat.gif. You’ll go to http://yoursite.com/path/to/cat.gif and you’ll expect to see a cat. Instead, you’ll see something like this:
Path: /path/to/cat.gif;
File: cat.gif;
IP address: 127.0.0.1;
User agent: Mozilla/5.0 [...];
Take a quick look at the URL in your browser’s address bar. You requested a cat.gif, but script.php has been executed instead. Kind of creepy, isn’t it? Imagine what else you could do. You can execute code. Possibilities are infinite.