Vulnerability Development mailing list archives
How to prevent malicious linking/posting to webapps?
From: Lincoln Yeoh <lyeoh () POP JARING MY>
Date: Mon, 11 Sep 2000 17:56:59 +0800
Hi, Just wondering what are good ways to prevent malicious linking to web applications. For example: Let's say we have a web application which allows links or even img src links (webmail) to be included in messages from uncontrolled users. And the web app has a command which is accessed by a url similar to http://www.mydomain.com/webapp?command=deletefolder&folderid=1 (assuming using cookies for session authentication and the session is active). So if the user unknowingly clicks on such a link, or even just views the page with images enabled nasty things happen. There seem to be quite a number of ways to prevent such nasties, any ideas on which are good or which are your favourites? How do popular websites prevent abuse of their "one click" shopping? I personally don't like the http-referer method, but some seem to use it. Thanks, Link.
Current thread:
- All Advantage Spyware Daehlie Owns (Sep 12)
- Re: All Advantage Spyware Nick Summy (Sep 12)
- Re: All Advantage Spyware Justin Lintz (Sep 12)
- Re: All Advantage Spyware Robert Collins (Sep 12)
- Re: All Advantage Spyware Blue Boar (Sep 12)
- Re: All Advantage Spyware Brad Griffin (Sep 12)
- Re: All Advantage Spyware Thierry (Sep 12)
- Message not available
- Re: All Advantage Spyware Dimitry Andric (Sep 12)
- How to prevent malicious linking/posting to webapps? Lincoln Yeoh (Sep 12)
- Re: How to prevent malicious linking/posting to webapps? Bluefish (P.Magnusson) (Sep 12)
- Re: How to prevent malicious linking/posting to webapps? Lincoln Yeoh (Sep 13)
- Re: How to prevent malicious linking/posting to webapps? Robert Collins (Sep 14)
- Re: How to prevent malicious linking/posting to webapps? Pluto (Sep 13)
- Message not available
- Re: How to prevent malicious linking/posting to webapps? Slawek (Sep 12)
- Re: All Advantage Spyware Russel Smith (Sep 12)
- Re: All Advantage Spyware Jonathan Rickman (Sep 12)
- Re: All Advantage Spyware Brad Griffin (Sep 12)
- Re: All Advantage Spyware Doug Kahler (Sep 12)