[13752] in bugtraq
Re: recent 'cross site scripting' CERT advisory
daemon@ATHENA.MIT.EDU (Taneli Huuskonen)
Tue Feb 8 23:51:48 2000
Mime-Version: 1.0
Content-Type: text/plain; charset=US-ASCII
Content-Transfer-Encoding: 7bit
Message-Id: <200002080759.JAA05677@sirppi.helsinki.fi>
Date: Tue, 8 Feb 2000 09:59:56 +0200
Reply-To: Taneli Huuskonen <huuskone@CC.HELSINKI.FI>
From: Taneli Huuskonen <huuskone@CC.HELSINKI.FI>
X-To: Ari Gordon-Schlosberg <regs@NEBCORP.COM>
To: BUGTRAQ@SECURITYFOCUS.COM
In-Reply-To: <20000207175500.A4376@nebcorp.com> from Ari Gordon-Schlosberg at
"Feb 7, 2000 05:55:00 pm"
-----BEGIN PGP SIGNED MESSAGE-----
Ari Gordon-Schlosberg wrote:
> [Bill Thompson <bill@DIAL.PIPEX.COM>]
> > One form of protection from a truly *cross-site* attack that I didn't
> > see mentioned in the CERT advisory is the trusty "HTTP_REFERER"
[...]
>
> HTTP_REFERER is trivial to spoof, and it's likely that anyone perpetrating
> a sophisticated attack would laugh at having to spoof the Referer: header.
> It's a form of trusting the client, which is a big, huge, no-no. It's okay
Bill Thompson's comment makes sense in the following scenario. Suppose
a page on www.evil.com contained a link to www.trusted.com's login page,
with something funny embedded in a query string. Then an unsuspecting
victim might be tricked into following the link and getting back a page
with evil.com's javascript embedded in it. Now, if trusted.com's
webserver refused to serve anything else but the index page unless the
Referer: field contained a trusted.com URL, this attack would be foiled.
Now, is there a way to trick a browser into lying about the referrer?
Taneli Huuskonen
-----BEGIN PGP SIGNATURE-----
Version: 2.6.3i
Charset: noconv
iQB1AwUBOJ/M9AUw3ir1nvhZAQEg2QL/VmBUGamGJACoVXCFG8n2G4OQCZk/wGrr
j+wFyzKtFA1YFE6KoIV3I+msJ/QVZJJ8hk6n6Oy45Z5/KkCSdNTQFz7OV+c2v0ua
Q/OXeo/4zUpZNl82Fgdx44rNxu21FkPY
=INX4
-----END PGP SIGNATURE-----
--
I don't | All messages will be PGP signed, | Fight for your right to
speak for | encrypted mail preferred. Keys: | use sealed envelopes.
the Uni. | http://www.helsinki.fi/~huuskone/ | http://www.gilc.org/
