What is a good risk assessment for different types of online file references?

Question

Personally I'm a big fan of hosting everything myself, just because of the privacy aspect. For that reason I try to use external files as least as possible. Nevertheless, I'm wondering if it is a security risk to hotlink to files other than JavaScript files.

The risk of hotlinking to an external JavaScript file seems pretty clear to me. Since that other domain will be able to execute anything in the clients browser, on your domain. So it's not about JavaScript files. I'm just talking about files like images, cascading style sheets and for example PDF, office or MP3 files.

On the other hand, what if the scenario is exactly other way around? What risks can you potentially face when people are hot-linking to your files or images? I know some anti hotlinking methods, some of them use a mod_rewrite approach, which is based on a referrer that can be easily spoofed.

So I have three questions:

1. Is hotlinking to external file (like described above) dangerous or can it be a potential risk to your website or website visitors?
2. Can you face a risk yourself when people are hotlinking to self-hosted files, other then a availability risk?
3. When question number 2 is a risk: What are the best practices to protect your files from being hotlinked by others?

Answer 1

Is hotlinking to external file (like described above) dangerous or can it be a potential risk to your website or website visitors?

If any of your users are unpatched and you are including content from an externally linked domain, it would be possible for the external domain to switch the content to a malicious image, Flash file or Word document.

Can you face a risk yourself when people are hotlinking to self-hosted files, other then a availability risk?

Yes, mainly just an availability risk, although as they are making a cross domain request to your server, they could be exploiting any CSRF vulnerabilities or injection vulnerabilities and using their end-users to do it. This argument however is weak, as these vulnerabilities are vulnerabilities themselves and can be mitigated in isolation.

When question number 2 is a risk: What are the best practices to protect your files from being hotlinked by others?

An option would be checking referer header, although this can have its own problems. Some users turn off referer to increase privacy, and some referer checks suffer from logic bugs (e.g. http://example.com/example.org may pass the referer check for example.org if not coded correctly). Another option would be to check the user has a valid session on your site. This would easily be bypassed by a site requesting a HTTP page cross domain to set the session. You might have to validate them via a CAPTCHA check before showing them site content. Not a very good user experience.

Another idea would be to randomise URLs. So image.jpg would only be shown if the query string ?validationCheck=123321 was appended to it. Your website would dyamically generate the code:

<img src="/image.jpg?validationCheck=123321" />

and the handler for the jpg file type would check that the validationCheck value is correct. This value could change every few minutes. They could implement a bot to check this, however it would be more work and they might as well copy and save the image to their own server (although it would be subject to copyright infringement). Also, this approach does not sit well with caching.