Home page logo

bugtraq logo Bugtraq mailing list archives

Re: recent 'cross site scripting' CERT advisory
From: regs () NEBCORP COM (Ari Gordon-Schlosberg)
Date: Mon, 7 Feb 2000 17:55:00 -0600

[Bill Thompson <bill () DIAL PIPEX COM>]
One form of protection from a truly *cross-site* attack that I didn't
see mentioned in the CERT advisory is the trusty "HTTP_REFERER"
check. But then, with so many sites using affiliate programs to get
their search boxes and book-buying links distributed across the Web,
there may be few major e-commerce sites that block requests based on
the referral source.

HTTP_REFERER is trivial to spoof, and it's likely that anyone perpetrating
a sophisticated attack would laugh at having to spoof the Referer: header.
It's a form of trusting the client, which is a big, huge, no-no.  It's okay
if you're trying to protect from someone seeing a page that should
register for (like downloading a white paper), because it's not worth an
attackers trouble to circumvent something like.  But Referer: should never
be used as a security measure.  Hell, anyone with telnet can spoof a Refer:

Ari                                                     there is no spoon
http://www.nebcorp.com/~regs/pgp for PGP public key

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]