Bugtraq mailing list archives
Re: recent 'cross site scripting' CERT advisory
From: huuskone () CC HELSINKI FI (Taneli Huuskonen)
Date: Tue, 8 Feb 2000 09:59:56 +0200
-----BEGIN PGP SIGNED MESSAGE----- Ari Gordon-Schlosberg wrote:
[Bill Thompson <bill () DIAL PIPEX COM>]One form of protection from a truly *cross-site* attack that I didn't see mentioned in the CERT advisory is the trusty "HTTP_REFERER"
[...]
HTTP_REFERER is trivial to spoof, and it's likely that anyone perpetrating a sophisticated attack would laugh at having to spoof the Referer: header. It's a form of trusting the client, which is a big, huge, no-no. It's okay
Bill Thompson's comment makes sense in the following scenario. Suppose a page on www.evil.com contained a link to www.trusted.com's login page, with something funny embedded in a query string. Then an unsuspecting victim might be tricked into following the link and getting back a page with evil.com's javascript embedded in it. Now, if trusted.com's webserver refused to serve anything else but the index page unless the Referer: field contained a trusted.com URL, this attack would be foiled. Now, is there a way to trick a browser into lying about the referrer? Taneli Huuskonen -----BEGIN PGP SIGNATURE----- Version: 2.6.3i Charset: noconv iQB1AwUBOJ/M9AUw3ir1nvhZAQEg2QL/VmBUGamGJACoVXCFG8n2G4OQCZk/wGrr j+wFyzKtFA1YFE6KoIV3I+msJ/QVZJJ8hk6n6Oy45Z5/KkCSdNTQFz7OV+c2v0ua Q/OXeo/4zUpZNl82Fgdx44rNxu21FkPY =INX4 -----END PGP SIGNATURE----- -- I don't | All messages will be PGP signed, | Fight for your right to speak for | encrypted mail preferred. Keys: | use sealed envelopes. the Uni. | http://www.helsinki.fi/~huuskone/ | http://www.gilc.org/
Current thread:
- Novell GroupWise 5.5 Enhancement Pack Web Access Denial of Servic e, (continued)
- Novell GroupWise 5.5 Enhancement Pack Web Access Denial of Servic e Adam Gray (Feb 07)
- Re: Fwd: CERT Advisory CA-2000-02 Henri Torgemane (Feb 03)
- recent 'cross site scripting' CERT advisory Tim Hollebeek (Feb 04)
- Re: recent 'cross site scripting' CERT advisory Marc Slemko (Feb 05)
- Re: recent 'cross site scripting' CERT advisory Manuel Martin (Feb 08)
- Novell BorderManager 3.5 Remote Slow Death Chicken Man (Feb 08)
- Re: Novell BorderManager 3.5 Remote Slow Death Ron van Daal (Feb 09)
- Re: Novell BorderManager 3.5 Remote Slow Death Puchatek (Feb 11)
- Re: recent 'cross site scripting' CERT advisory Bill Thompson (Feb 06)
- Re: recent 'cross site scripting' CERT advisory Ari Gordon-Schlosberg (Feb 07)
- Re: recent 'cross site scripting' CERT advisory Taneli Huuskonen (Feb 07)
- Re: recent 'cross site scripting' CERT advisory Peter W (Feb 08)
- Re: recent 'cross site scripting' CERT advisory Mikael Olsson (Feb 08)
- Re: recent 'cross site scripting' CERT advisory Henri Torgemane (Feb 08)
- Re: 'cross site scripting' defenses flynngn () JMU EDU (Feb 06)
- Microsoft Security Bulletin (MS00-004) Microsoft Product Security (Feb 04)
- Sprint PCS vulnerable to malicious tags Paul Schreiber (Feb 04)