[OWASP-GUIDE] OWASP Guide 2.0a4 available

Andrew van der Stock vanderaj at greebo.net
Tue Feb 15 19:36:35 EST 2005


Chris Shiflett said:
> This brings us back to a similar discussion we have had here before. I
> think many agreed that this might be solvable if the application keeps up
> with each user agent's behavior:
>
> 1. The Referer is absent.
> 2. The Referer is present (and consistent) but not a URL.
> 3. The Referer is present (and consistent) but not the expected URL.
> 4. The Referer is the expected URL.
>
> (We hypothesized that no user agents fall into the third category.)
>
> So, if a Referer check occurs after the user agent's behavior has been
> recorded, the majority who fall into the fourth category can reap whatever
> benefits are provided by this extra check. Those who fall into the other
> categories can still use the application (and some minor checks are still
> possible for the first and second categories, such as checking for
> consistent behavior).
>
> Perhaps we can slightly ammend the recommendation? (Assuming my above
> logic is not flawed.)

That's a cool idea - I want to make sure the developers are aware that the
above four states need to be coped with. I'll provide some amended text
when I get home tonight. Or if you want to have a shot at re-wording it,
feel free! :)

Andrew




More information about the Owasp-guide mailing list