[OWASP-GUIDE] OWASP Guide 2.0a4 available

Chris Shiflett chris at shiflett.org
Tue Feb 15 18:17:20 EST 2005

--- Andrew van der Stock wrote:
> I've uploaded a new version of the Guide. Sorry, I've been a bit busy
> to incorporate all the feedback, but that will be done soon.

Apologies in advance if this is part of the feedback mentioned, but...

The guide makes the following recommendation:

A naive brute force attack will not fill in the referrer header correctly.
If your application has only a specific path or domain from which your
login functionality can be invoked, it should check that the referrer
field has been correctly set.

For example, if login.jsp can only be invoked from
http://www.example.com/index.jsp, the referrer should check that the
referrer is this value.

I think this is a poor recommendation. Because Referer is so trivially
spoofed, there aren't many "naive" attacks that will be thwarted. Worse,
because Referer is optional, and also because there exists third-part
software and HTTP proxies that strip and/or modify Referer, this can
adversely affect legitimate users. When possible, safeguards should be
transparent to the user.

Has this been discussed? My apologies if it has.


More information about the Owasp-guide mailing list