Wed Nov 1 13:33:20 EST 2006
I know that referer is essentially never disabled over 2000+ users and 24
million+ hits per month. Not that I would ever check referer on that site
- the data is simply not that valuable.
I'm worried about the 80/20 rule here. Nothing more. I have established
the number of users who strip referers is < 1% based upon real world logs.
Any one of us who has access to a busy site's web logs (which also collect
referer info) can repeat my observation. I honestly don't care about those
1% of users who are so paranoid to drop or alter a forgeable header which
says "I came from this same site".
I think devs should be aware that these things happen, and error check for
it (ie be robust in what you accept). If a user is aware they need referer
to work, all the personal Internet Security software I'm aware of allows
you to opt out on a site-by-site basis. If you want (or have) to use a
particular site, such as your bank's Internet Banking, the bank is the 800
lb gorilla in the relationship.
Remember the days when we used to regularly block cookies? They're gone.
People accept that to use a site requires trading a little something.
Referer is far from a perfect control, but it's easy and stops someone who
has no idea from abusing your app.
Of all the untrustworthy data an attacker can send in a HTTP request,
referer is the easiest to check correctly and deny in about two - three
lines of code.
Other checks which actually work are the main reason we work so hard on
good session management. If you have four good controls and one so-so
control (which does work against simple attacks), it's still better than
four good controls. Defense in depth.
More information about the Owasp-guide