Vulnerability Development mailing list archives
Re: How to prevent malicious linking/posting to webapps?
From: Slawek <sgp () TELSATGP COM PL>
Date: Mon, 11 Sep 2000 19:28:57 +0200
Hi, If you don't want to use http-referer when it'd probably be enough to insert a kind of cookie into "malicious" URLs. Bye, Slawek Monday, September 11, 2000 11:56 AM +0200, Lincoln Yeoh wrote:
Hi, Just wondering what are good ways to prevent malicious linking to web applications. For example: Let's say we have a web application which allows links or even img src links (webmail) to be included in messages from uncontrolled users. And the web app has a command which is accessed by a url similar to http://www.mydomain.com/webapp?command=deletefolder&folderid=1 (assuming using cookies for session authentication and the session is
active).
So if the user unknowingly clicks on such a link, or even just views the page with images enabled nasty things happen. There seem to be quite a number of ways to prevent such nasties, any ideas on which are good or which are your favourites? How do popular websites prevent abuse of their "one click" shopping? I personally don't like the http-referer method, but some seem to use it. Thanks, Link.
Current thread:
- Re: All Advantage Spyware, (continued)
- Re: All Advantage Spyware Robert Collins (Sep 12)
- Re: All Advantage Spyware Blue Boar (Sep 12)
- Re: All Advantage Spyware Brad Griffin (Sep 12)
- Re: All Advantage Spyware Thierry (Sep 12)
- Message not available
- Re: All Advantage Spyware Dimitry Andric (Sep 12)
- How to prevent malicious linking/posting to webapps? Lincoln Yeoh (Sep 12)
- Re: How to prevent malicious linking/posting to webapps? Bluefish (P.Magnusson) (Sep 12)
- Re: How to prevent malicious linking/posting to webapps? Lincoln Yeoh (Sep 13)
- Re: How to prevent malicious linking/posting to webapps? Robert Collins (Sep 14)
- Re: How to prevent malicious linking/posting to webapps? Pluto (Sep 13)
- Message not available
- Re: How to prevent malicious linking/posting to webapps? Slawek (Sep 12)
- Re: All Advantage Spyware Russel Smith (Sep 12)
- Re: All Advantage Spyware Jonathan Rickman (Sep 12)
- Re: All Advantage Spyware Brad Griffin (Sep 12)
- Re: All Advantage Spyware Doug Kahler (Sep 12)