[13745] in bugtraq
Re: recent 'cross site scripting' CERT advisory
daemon@ATHENA.MIT.EDU (Ari Gordon-Schlosberg)
Tue Feb 8 02:14:56 2000
Mail-Followup-To: Bill Thompson <bill@DIAL.PIPEX.COM>, bugtraq@securityfocus.com
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Message-Id: <20000207175500.A4376@nebcorp.com>
Date: Mon, 7 Feb 2000 17:55:00 -0600
Reply-To: Ari Gordon-Schlosberg <regs@NEBCORP.COM>
From: Ari Gordon-Schlosberg <regs@NEBCORP.COM>
X-To: Bill Thompson <bill@DIAL.PIPEX.COM>, bugtraq@securityfocus.com
To: BUGTRAQ@SECURITYFOCUS.COM
In-Reply-To: <LPBBLOPOCCCHHDIFALIEAEAOCDAA.bill@dial.pipex.com>; from
bill@DIAL.PIPEX.COM on Sun, Feb 06, 2000 at 09:12:43AM -0000
[Bill Thompson <bill@DIAL.PIPEX.COM>]
> One form of protection from a truly *cross-site* attack that I didn't
> see mentioned in the CERT advisory is the trusty "HTTP_REFERER"
> check. But then, with so many sites using affiliate programs to get
> their search boxes and book-buying links distributed across the Web,
> there may be few major e-commerce sites that block requests based on
> the referral source.
HTTP_REFERER is trivial to spoof, and it's likely that anyone perpetrating
a sophisticated attack would laugh at having to spoof the Referer: header.
It's a form of trusting the client, which is a big, huge, no-no. It's okay
if you're trying to protect from someone seeing a page that should
register for (like downloading a white paper), because it's not worth an
attackers trouble to circumvent something like. But Referer: should never
be used as a security measure. Hell, anyone with telnet can spoof a Refer:
URL.
--
Ari there is no spoon
-------------------------------------------------------------------------
http://www.nebcorp.com/~regs/pgp for PGP public key
