Home page logo
/

basics logo Security Basics mailing list archives

RE: HTTPS redirections
From: "theog" <theog () theog org>
Date: Mon, 27 Aug 2007 15:33:34 +0300

Indeed they are using http referrers to check if it's a direct link or a
clicked one from another site, please bare in mind that unless you check the
origin, google will be a valid referrer as well as other search engines. 

RCT Internet solutions.
http://dir.rct.co.il
http://www.rct.co.il 
-----Original Message-----
From: listbounce () securityfocus com [mailto:listbounce () securityfocus com] On
Behalf Of Jason Ross
Sent: Saturday, August 25, 2007 12:13 AM
To: anthony () synt3gra com
Cc: security-basics () securityfocus com
Subject: Re: HTTPS redirections

On 8/24/07, anthony () synt3gra com <anthony () synt3gra com> wrote:
I have noticed how some websites only allow access to a particular
page if a link within the page has been 'clicked' ie. user cannot
paste link address in browser bar to get to desired page.
For security purposes I would like to create a script and achieve
similar results.

I believe that (at least one way) this is done is by checking the
referer header. In PHP this can be accessed via the predefined
variable: $_SERVER['HTTP_REFERER'], other languages should have
similar methods of obtaining this.

AFAIK, there is not a difference between HTTP and HTTPS as far as
this method is concerned.

--
Jason



  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]
AlienVault