mailing list archives
Re: recent 'cross site scripting' CERT advisory
From: huuskone () CC HELSINKI FI (Taneli Huuskonen)
Date: Tue, 8 Feb 2000 09:59:56 +0200
-----BEGIN PGP SIGNED MESSAGE-----
Ari Gordon-Schlosberg wrote:
[Bill Thompson <bill () DIAL PIPEX COM>]
One form of protection from a truly *cross-site* attack that I didn't
see mentioned in the CERT advisory is the trusty "HTTP_REFERER"
HTTP_REFERER is trivial to spoof, and it's likely that anyone perpetrating
a sophisticated attack would laugh at having to spoof the Referer: header.
It's a form of trusting the client, which is a big, huge, no-no. It's okay
Bill Thompson's comment makes sense in the following scenario. Suppose
a page on www.evil.com contained a link to www.trusted.com's login page,
with something funny embedded in a query string. Then an unsuspecting
victim might be tricked into following the link and getting back a page
webserver refused to serve anything else but the index page unless the
Referer: field contained a trusted.com URL, this attack would be foiled.
Now, is there a way to trick a browser into lying about the referrer?
-----BEGIN PGP SIGNATURE-----
-----END PGP SIGNATURE-----
I don't | All messages will be PGP signed, | Fight for your right to
speak for | encrypted mail preferred. Keys: | use sealed envelopes.
the Uni. | http://www.helsinki.fi/~huuskone/ | http://www.gilc.org/
Re: Bypass Virus Checking minus (Feb 03)
Re: Bypass Virus Checking salme () US IBM COM (Feb 02)
Re: Bypass Virus Checking Uwe Schurig (Feb 02)
Re: Bypass Virus Checking Neil Bortnak (Feb 02)