WebApp Sec mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Whitepaper "SESSION RIDING - A Widespread Vulnerability in Today's Web Applications"

From: Shade <shade () wastelands gen nz>
Date: Mon, 20 Dec 2004 09:54:03 +0000
On Fri, Dec 17, 2004 at 09:36:46AM +0100, Philippe P. wrote:


-         In chapter 6, you propose countermeasures. But, your propositions 
are complexes. A better approach is to check the header Referer for each 
request with parameter. If the Referer is not compatible the the site, you 
can reject the request. It's very easy to install, and you can continue to 
use the HTTP cache.


Not such a good idea.  The referer value is no more trustworthy than
anything else supplied by the client.

        S.

-- 
Vague and bizarre are two of our closest friends, along with intrigue
and deception. (ND)
Previous By Date Next
Previous By Thread Next

Current thread: