Re: How to prevent malicious linking/posting to webapps?

["Bluefish (P.Magnusson)" <11a () GMX NET>]

> I personally don't like the http-referer method, but some seem to use it.

It's client supplied information which is spoofable. Therefore, you are
probably right in being doubtfull.

> There seem to be quite a number of ways to prevent such nasties, any ideas
> on which are good or which are your favourites?

Using cookies or longer URLs containing a session id seems the logical way
to make these attacks unlikely. Although you have to think twice for such
a thing to add security and not only obscurity.

> And the web app has a command which is accessed by a url similar to
> http://www.mydomain.com/webapp?command=deletefolder&folderid=1
> (assuming using cookies for session authentication and the session is active).

So.... We would perhaps draw the conclusion that having the session id in
a cookie is a bit... risky ;-) Given that you can fool someone to run
your javascript or html file while browsing the site in another window....
*argh*

Btw, any javascript expert know what happens when you have an 100%x100%
frame, and you, as an example, add a site such as hotmail.com in the
frame's URL? Wouldn't the script be able to extract information such as
current URL in the frame?

> How do popular websites prevent abuse of their "one click" shopping?

Pray?

..:::::::::::::::::::::::::::::::::::::::::::::::::..
     http://www.11a.nu || http://bluefish.11a.nu
    eleventh alliance development & security team