Vulnerability Development mailing list archives

Previous By Date Next
Previous By Thread Next

Re: How to prevent malicious linking/posting to webapps?

From: Slawek <sgp () TELSATGP COM PL>
Date: Mon, 11 Sep 2000 19:28:57 +0200
Hi,


If you don't want to use http-referer when it'd probably be enough to insert
a kind of cookie into "malicious" URLs.


Bye,
Slawek


Monday, September 11, 2000 11:56 AM +0200, Lincoln Yeoh wrote:

Hi,

Just wondering what are good ways to prevent malicious linking to web
applications.

For example:

Let's say we have a web application which allows links or even img src
links (webmail) to be included in messages from uncontrolled users.

And the web app has a command which is accessed by a url similar to
http://www.mydomain.com/webapp?command=deletefolder&folderid=1
(assuming using cookies for session authentication and the session is

active).


So if the user unknowingly clicks on such a link, or even just views the
page with images enabled nasty things happen.

There seem to be quite a number of ways to prevent such nasties, any ideas
on which are good or which are your favourites?

How do popular websites prevent abuse of their "one click" shopping?

I personally don't like the http-referer method, but some seem to use it.

Thanks,
Link.
Previous By Date Next
Previous By Thread Next

Current thread: