[OWASP-GUIDE] OWASP Guide 2.0a4 available

Andrew van der Stock vanderaj at greebo.net
Tue Feb 15 19:03:00 EST 2005


Chris Shiflett said:
> I think this is a poor recommendation. Because Referer is so trivially
> spoofed, there aren't many "naive" attacks that will be thwarted. Worse,
> because Referer is optional, and also because there exists third-part
> software and HTTP proxies that strip and/or modify Referer, this can
> adversely affect legitimate users. When possible, safeguards should be
> transparent to the user.
>
> Has this been discussed? My apologies if it has.

Chris,

thanks for your feedback. :) It hasn't been discussed as it's new text.

I wish to include referer as it is a simple control which can remove
attackers who do not have tools. As I've mentioned before on the list,
pretty much any tool will get around this control. However, as a defense
in depth control, it is easy to implement and is worth considering if only
to prevent basic attacks. Not having it just makes it simpler to attack is
all. I do not wish to impart that referer is the ultimate control, just
that it can help.

Andrew




More information about the Owasp-guide mailing list