Bugtraq mailing list archives
Re: recent 'cross site scripting' CERT advisory
From: regs () NEBCORP COM (Ari Gordon-Schlosberg)
Date: Mon, 7 Feb 2000 17:55:00 -0600
[Bill Thompson <bill () DIAL PIPEX COM>]
One form of protection from a truly *cross-site* attack that I didn't see mentioned in the CERT advisory is the trusty "HTTP_REFERER" check. But then, with so many sites using affiliate programs to get their search boxes and book-buying links distributed across the Web, there may be few major e-commerce sites that block requests based on the referral source.
HTTP_REFERER is trivial to spoof, and it's likely that anyone perpetrating a sophisticated attack would laugh at having to spoof the Referer: header. It's a form of trusting the client, which is a big, huge, no-no. It's okay if you're trying to protect from someone seeing a page that should register for (like downloading a white paper), because it's not worth an attackers trouble to circumvent something like. But Referer: should never be used as a security measure. Hell, anyone with telnet can spoof a Refer: URL. -- Ari there is no spoon ------------------------------------------------------------------------- http://www.nebcorp.com/~regs/pgp for PGP public key
Current thread:
- Re: Fwd: CERT Advisory CA-2000-02, (continued)
- Re: Fwd: CERT Advisory CA-2000-02 Len Budney (Feb 08)
- Novell GroupWise 5.5 Enhancement Pack Web Access Denial of Servic e Adam Gray (Feb 07)
- Re: Fwd: CERT Advisory CA-2000-02 Henri Torgemane (Feb 03)
- recent 'cross site scripting' CERT advisory Tim Hollebeek (Feb 04)
- Re: recent 'cross site scripting' CERT advisory Marc Slemko (Feb 05)
- Re: recent 'cross site scripting' CERT advisory Manuel Martin (Feb 08)
- Novell BorderManager 3.5 Remote Slow Death Chicken Man (Feb 08)
- Re: Novell BorderManager 3.5 Remote Slow Death Ron van Daal (Feb 09)
- Re: Novell BorderManager 3.5 Remote Slow Death Puchatek (Feb 11)
- Re: recent 'cross site scripting' CERT advisory Bill Thompson (Feb 06)
- Re: recent 'cross site scripting' CERT advisory Ari Gordon-Schlosberg (Feb 07)
- Re: recent 'cross site scripting' CERT advisory Taneli Huuskonen (Feb 07)
- Re: recent 'cross site scripting' CERT advisory Peter W (Feb 08)
- Re: recent 'cross site scripting' CERT advisory Mikael Olsson (Feb 08)
- Re: recent 'cross site scripting' CERT advisory Henri Torgemane (Feb 08)
- Re: 'cross site scripting' defenses flynngn () JMU EDU (Feb 06)
- Microsoft Security Bulletin (MS00-004) Microsoft Product Security (Feb 04)
- Sprint PCS vulnerable to malicious tags Paul Schreiber (Feb 04)