Most message boards filter out JavaScript by default. About referer checking, there are many clients which either do not send, or give the user the option to not send, HTTP_REFERERs. Therefore, it wouldn't be a good move to rely solely on checking the referer. However, would it be safe to check that if a referer is present, it contains the sites' domain name, but if it isn't, it most likely wouldn't have been referenced in an <img> tag or submitted via JavaScript? -- WhiteCrown Networks - Web Application Security www.whitecrown.net - servicesat_private ______________________________ / Chris Lambert - cjlambertat_private |-> ICQ #: 16435685 - AIM: ClipperChris `-> Cell: (401) 743-2786 - http://sms.clambert.org/ ----- Original Message ----- From: Shafik Yaghmour <shafikat_private> | Yeah this is kind'a old if you have been developing sites for a | while, you also need to consider that someone can also do this off the | site as well. So if they have the ability to link to a site from your | site they can get people to go to that site and then do the post from that | site and this defeats this protection. Therefore, although, everyone disparages | HTTP_REFERER checking, in this case it will protect the innocent user. | You also need to filter out javascript if you allow the user to | craft their own image tags, this is a much worse problem becasue they can | then claim the users cookie, encryption won't help you here. Of course | they could also do other bad things with javascript.
This archive was generated by hypermail 2b30 : Fri Jun 15 2001 - 13:25:01 PDT