[OWASP-GUIDE] OWASP Guide 2.0a4 available

Andrew van der Stock vanderaj at greebo.net
Tue Feb 15 19:33:28 EST 2005


Michael Silk said:
> But couldn't it also stop legitimate users coming through a proxy that
> ignores the referer? Or someone that has book-marked the login URL?
> (This happens alot.., in my experience).

If you're doing J2EE development, bookmarking "pages" like "foo.do"
doesn't really help, especially if you take some of the other advice and
make every action a form submission rather than a GET (or combo).

Proxy servers should ignore referer and not re-write or strip them. Many
sites prevent deep linking using referer checks, so most security software
doesn't enable referer re-writing by default.



More information about the Owasp-guide mailing list