[Bill Thompson <billat_private>] > One form of protection from a truly *cross-site* attack that I didn't > see mentioned in the CERT advisory is the trusty "HTTP_REFERER" > check. But then, with so many sites using affiliate programs to get > their search boxes and book-buying links distributed across the Web, > there may be few major e-commerce sites that block requests based on > the referral source. HTTP_REFERER is trivial to spoof, and it's likely that anyone perpetrating a sophisticated attack would laugh at having to spoof the Referer: header. It's a form of trusting the client, which is a big, huge, no-no. It's okay if you're trying to protect from someone seeing a page that should register for (like downloading a white paper), because it's not worth an attackers trouble to circumvent something like. But Referer: should never be used as a security measure. Hell, anyone with telnet can spoof a Refer: URL. -- Ari there is no spoon ------------------------------------------------------------------------- http://www.nebcorp.com/~regs/pgp for PGP public key
This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 15:33:47 PDT