Vulnerability Development mailing list archives
Re: How to prevent malicious linking/posting to webapps?
From: "Bluefish (P.Magnusson)" <11a () GMX NET>
Date: Mon, 11 Sep 2000 23:24:50 +0200
I personally don't like the http-referer method, but some seem to use it.
It's client supplied information which is spoofable. Therefore, you are probably right in being doubtfull.
There seem to be quite a number of ways to prevent such nasties, any ideas on which are good or which are your favourites?
Using cookies or longer URLs containing a session id seems the logical way to make these attacks unlikely. Although you have to think twice for such a thing to add security and not only obscurity.
And the web app has a command which is accessed by a url similar to http://www.mydomain.com/webapp?command=deletefolder&folderid=1 (assuming using cookies for session authentication and the session is active).
So.... We would perhaps draw the conclusion that having the session id in a cookie is a bit... risky ;-) Given that you can fool someone to run your javascript or html file while browsing the site in another window.... *argh* Btw, any javascript expert know what happens when you have an 100%x100% frame, and you, as an example, add a site such as hotmail.com in the frame's URL? Wouldn't the script be able to extract information such as current URL in the frame?
How do popular websites prevent abuse of their "one click" shopping?
Pray? ..:::::::::::::::::::::::::::::::::::::::::::::::::.. http://www.11a.nu || http://bluefish.11a.nu eleventh alliance development & security team
Current thread:
- All Advantage Spyware Daehlie Owns (Sep 12)
- Re: All Advantage Spyware Nick Summy (Sep 12)
- Re: All Advantage Spyware Justin Lintz (Sep 12)
- Re: All Advantage Spyware Robert Collins (Sep 12)
- Re: All Advantage Spyware Blue Boar (Sep 12)
- Re: All Advantage Spyware Brad Griffin (Sep 12)
- Re: All Advantage Spyware Thierry (Sep 12)
- Message not available
- Re: All Advantage Spyware Dimitry Andric (Sep 12)
- How to prevent malicious linking/posting to webapps? Lincoln Yeoh (Sep 12)
- Re: How to prevent malicious linking/posting to webapps? Bluefish (P.Magnusson) (Sep 12)
- Re: How to prevent malicious linking/posting to webapps? Lincoln Yeoh (Sep 13)
- Re: How to prevent malicious linking/posting to webapps? Robert Collins (Sep 14)
- Re: How to prevent malicious linking/posting to webapps? Pluto (Sep 13)
- Message not available
- Re: How to prevent malicious linking/posting to webapps? Slawek (Sep 12)
- Re: All Advantage Spyware Russel Smith (Sep 12)
- Re: All Advantage Spyware Jonathan Rickman (Sep 12)
- Re: All Advantage Spyware Brad Griffin (Sep 12)
- Re: All Advantage Spyware Doug Kahler (Sep 12)