[OWASP-GUIDE] OWASP Guide 2.0a4 available
michaelsilk at gmail.com
Tue Feb 15 19:10:32 EST 2005
But couldn't it also stop legitimate users coming through a proxy that
ignores the referer? Or someone that has book-marked the login URL?
(This happens alot.., in my experience).
> -----Original Message-----
> From: Andrew van der Stock [mailto:vanderaj at greebo.net]
> Sent: Wednesday, 16 February 2005 11:03 AM
> To: owasp-guide at lists.sourceforge.net
> Subject: Re: [OWASP-GUIDE] OWASP Guide 2.0a4 available
> Chris Shiflett said:
> > I think this is a poor recommendation. Because Referer is
> so trivially
> > spoofed, there aren't many "naive" attacks that will be thwarted.
> > Worse, because Referer is optional, and also because there exists
> > third-part software and HTTP proxies that strip and/or
> modify Referer,
> > this can adversely affect legitimate users. When possible,
> > should be transparent to the user.
> > Has this been discussed? My apologies if it has.
> thanks for your feedback. :) It hasn't been discussed as it's
> new text.
> I wish to include referer as it is a simple control which can
> remove attackers who do not have tools. As I've mentioned
> before on the list, pretty much any tool will get around this
> control. However, as a defense in depth control, it is easy
> to implement and is worth considering if only to prevent
> basic attacks. Not having it just makes it simpler to attack
> is all. I do not wish to impart that referer is the ultimate
> control, just that it can help.
> SF email is sponsored by - The IT Product Guide Read honest &
> candid reviews on hundreds of IT Products from real users.
> Discover which products truly live up to the hype. Start reading now.
> Owasp-guide mailing list
> Owasp-guide at lists.sourceforge.net
More information about the Owasp-guide