[OWASP-GUIDE] OWASP Guide 2.0a4 available
Andrew van der Stock
vanderaj at greebo.net
Tue Feb 15 19:33:28 EST 2005
Michael Silk said:
> But couldn't it also stop legitimate users coming through a proxy that
> ignores the referer? Or someone that has book-marked the login URL?
> (This happens alot.., in my experience).
If you're doing J2EE development, bookmarking "pages" like "foo.do"
doesn't really help, especially if you take some of the other advice and
make every action a form submission rather than a GET (or combo).
Proxy servers should ignore referer and not re-write or strip them. Many
sites prevent deep linking using referer checks, so most security software
doesn't enable referer re-writing by default.
More information about the Owasp-guide