Bugtraq mailing list archives

Previous By Date Next
Previous By Thread Next

Re: The Dangers of Allowing Users to Post Images

From: Tim Nowaczyk <zimage () upl cs wisc edu>
Date: Fri, 15 Jun 2001 12:52:22 -0500
On Thu, Jun 14, 2001 at 08:34:33PM +0200, Sverre H. Huseby wrote:

A possible solution (for web developers) seems to be to make sure the
user has been given an offer to do something before letting him do it:
Give each user a unique "ticket", and for each "action" on a web page,
bind this ticket to it.  Examples on URL an form follow:

  http://vote.com/vote.cgi?answer=1&ticket=9871398747

  <input type="hidden" name="ticket" value="9871398747">

When the request comes in, check if the incoming ticket matches the
one stored in this user's session.  If it does, this particular user
was given the offer by our server, and not by anyone else.  To spoof
this system, someone would have to guess or otherwise find out what
ticket value the victim was given by the server.

To make it harder to find the ticket value given to a user, you could
give the user many tickets, one for each possible action.  This
solution would require a "ticket pool" in the user's session.  I've
implemented the latter solution in both PHP and Java.  Let me know if
you would like some code.  (It's not at all hard to implement, of
course.)


Sverre.

  My company  implemented this but went one more step.  They created a file that had (IP, ticket) pairs. The ticket was 
passed around in URLs, but wasn't valid unless it came from the specific IP.  To pretend to be someone else, one would 
have to spoof their IP and guess the value of their (10 hour life-cycle) ticket.  We did this, originally, because we 
wanted to support web browsers that didn't use cookies.  The file was, actually, more like (IP, ticket, 
cookie-type-options-and-settings).  It worked well for us.

  Sincerely,
  Tim Nowaczyk

  <>< Truth
Previous By Date Next
Previous By Thread Next

Current thread: