[OWASP-GUIDE] OWASP Guide 2.0a4 available

Michael Silk michaelsilk at gmail.com
Tue Feb 15 19:10:32 EST 2005


But couldn't it also stop legitimate users coming through a proxy that
ignores the referer? Or someone that has book-marked the login URL?
(This happens alot.., in my experience).

-- Michael 


> -----Original Message-----
> From: Andrew van der Stock [mailto:vanderaj at greebo.net] 
> Sent: Wednesday, 16 February 2005 11:03 AM
> To: owasp-guide at lists.sourceforge.net
> Subject: Re: [OWASP-GUIDE] OWASP Guide 2.0a4 available
> 
> Chris Shiflett said:
> > I think this is a poor recommendation. Because Referer is 
> so trivially 
> > spoofed, there aren't many "naive" attacks that will be thwarted. 
> > Worse, because Referer is optional, and also because there exists 
> > third-part software and HTTP proxies that strip and/or 
> modify Referer, 
> > this can adversely affect legitimate users. When possible, 
> safeguards 
> > should be transparent to the user.
> >
> > Has this been discussed? My apologies if it has.
> 
> Chris,
> 
> thanks for your feedback. :) It hasn't been discussed as it's 
> new text.
> 
> I wish to include referer as it is a simple control which can 
> remove attackers who do not have tools. As I've mentioned 
> before on the list, pretty much any tool will get around this 
> control. However, as a defense in depth control, it is easy 
> to implement and is worth considering if only to prevent 
> basic attacks. Not having it just makes it simpler to attack 
> is all. I do not wish to impart that referer is the ultimate 
> control, just that it can help.
> 
> Andrew
> 
> 
> -------------------------------------------------------
> SF email is sponsored by - The IT Product Guide Read honest & 
> candid reviews on hundreds of IT Products from real users.
> Discover which products truly live up to the hype. Start reading now.
> http://ads.osdn.com/?ad_id=6595&alloc_id=14396&op=click
> _______________________________________________
> Owasp-guide mailing list
> Owasp-guide at lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/owasp-guide




More information about the Owasp-guide mailing list