Dmitry S. Polyakov Wrote:
-------------------------------------------------------
> On Thu, Apr 6, 2017, 10:50 shahzaib mushtaq <shahzaib.cb@gmail.com>
> wrote:
>
> > >>With the controls sites have over the referrer header, it's not
> very
> > effective as an access control mechanism. You can use something like
> > http://nginx.org/en/docs/http/ngx_http_secure_link_module.html
> > instead.
> >
> > We're also using Nginx secure link module based on HASH + expiry but
> > somehow this secure link is exploited by that website. The video
> link hash
> > on his website is exactly matching with ours means no matter if hash
> get
> > expire & new takes it place that leacher is also getting the new
> hash &
> > we're unable to find how he exploited us. Though on digging more
> into this
> > we found that he's using following script to fetch video links from
> our
> > website :
> >
> >
> >
> https://github.com/XvBMC/repository.xvbmc/blob/master/plugin.video.sal
> tsrd.lite/scrapers/dizibox_scraper.py
> >
> > His website name is also dizibox1.
> >
> IT happens because your secure links hash doesn't have any end user
> unique
> attributes like ip address
> If you'll include enduser ip to the secure link hash, secure link
> become
> unique for the end user. Any direct video link grabbed and shared by
> the
> enduser or some script become useless.


You would think that but with Kodi/XBMC that is not the case their App grabs and sends a HTML request on a per user basis.

So each and every request comes from a users Kodi box or app on their phone etc what when the page generates the HTML response to that user it also generated the response for their IP address.

It is like real web traffic.

I prevented them as I explained here https://forum.nginx.org/read.php?2,273405,273447#msg-273447

Also if you browse and view pornhub, pornsocket, youtube what ever streaming sites etc you will see they now hide and obfuscate their stream links in JavaScript to break these kodi box users as I explained in the link above.

Here is proof :
<script type="text/javascript">
/*This entire area would be their broken up url link obfuscated to be put back together again by JavaScript making it unreadable for these kodi/xbmc users */ = quality_720p;

loadScriptUniqueId.push('111418492');
loadScriptVar.push(flashvars_111418492);

playerObjList.playerDiv_111418492 = {
'flashvars' : {"embedId":111418492},
'embedSWF' : {"url":"https:\/\/bi.phncdn.com\/www-static\/flash\/","element":"playerDiv_111418492","width":"100%","height":"100%","version":"9.0.0"} };
</script>
<div id="playerDiv_111418492" class="playerFlvContainer" data-enlarge="1" data-showautoplayoption="1" data-share="1">
<noscript>
<video style="width:100%; height:100%;" controls="controls" autobuffer="autobuffer" class="player-html5" preload="metadata">
<source src="" type="video/mp4">
</video>
</noscript>

http://www.networkflare.com/