Full Disclosure mailing list archives

Re: Referers Are Evil

From: Brian Dessent <brian () dessent net>
Date: Sun, 07 Aug 2005 17:10:42 -0700

Ripe Md wrote:

With referers (HTTP_REFERER) it is easy to takeover sessions in some
Web applications Forums (phpBB) and so far.


The natural conclusion would be that storing such session information as
part of the URL is what is evil, not the concept of the referer.  It
also violates the ideal that URLs should be kept as short and simple as
is reasonable, and not contain long strings of unintelligible garbage.

In the same vein, most forum software fails to follow the guideline that
no HTTP GET should be able to cause a stateful change (such as deleting
a post), as was painfully demonstrated by the Google web accelerater
debacle.

Brian
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Current thread:

Referers Are Evil Ripe Md (Aug 07)
- Re: Referers Are Evil Bipin Gautam (Aug 07)
  - Re: Referers Are Evil Vincent van Scherpenseel (Aug 07)
    - Re: Referers Are Evil Nicolas Rachinsky (Aug 07)
    - Re: Referers Are Evil Steve Friedl (Aug 07)
    - Re: Referers Are Evil Tim (Aug 07)
- Re: Referers Are Evil Brian Dessent (Aug 07)