Taneli Huuskonen wrote: > > Now, if trusted.com's > webserver refused to serve anything else but the index page unless the > Referer: field contained a trusted.com URL, this attack would be foiled. > > Now, is there a way to trick a browser into lying about the referrer? > According to http://www.securiteam.com/securitynews/DHTML_makes_HTTP_REFERER_an_unreliable_sanity_check.html it is possible for DHTML to lie about the referer. (I believe this was originally a post here on Bugtraq, but I might be wrong; could be some other mailing list I'm on too..) /Mike -- Mikael Olsson, EnterNet Sweden AB, Box 393, S-891 28 ÖRNSKÖLDSVIK Phone: +46 (0)660 105 50 Fax: +46 (0)660 122 50 Mobile: +46 (0)70 248 00 33 WWW: http://www.enternet.se E-mail: mikael.olssonat_private
This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 15:33:58 PDT