[OWASP-GUIDE] OWASP Guide 2.0a4 available
michaelsilk at gmail.com
Tue Feb 15 19:50:10 EST 2005
> Proxy servers should ignore referer and not re-write or strip
> them. Many sites prevent deep linking using referer checks,
> so most security software doesn't enable referer re-writing
> by default.
*should* is, of course, different from what they actually do. Also,
people may be using proxy tools on their own computers for other
reasons (such as "proxomitron") which provide them other security
benefits, and as part of their usage they may disable the
> From my web logs of my very busy site
> I know that referer is essentially never disabled over 2000+
> users and 24
> million+ hits per month. Not that I would ever check referer on that
> million+ site
> - the data is simply not that valuable.
Sure, you can probably get data proving both sides, or anything you
like really, but it doesn't stop the fact that in, for example, my
system everyone has the login page bookmarked.
> I'm worried about the 80/20 rule here. Nothing more. I have
> established the number of users who strip referers is < 1%
> based upon real world logs.
> Any one of us who has access to a busy site's web logs (which
> also collect referer info) can repeat my observation. I
> honestly don't care about those 1% of users who are so
> paranoid to drop or alter a forgeable header which says "I
> came from this same site".
You might not care, but I might. If someone can't login to my system,
it's not a matter of "oh, they don't matter, let them go through
another proxy or something, or just go to another site", it's a matter
of: "oh no, we need to fix that immediately!!"
> I think devs should be aware that these things happen, and
> error check for it (ie be robust in what you accept). If a
> user is aware they need referer to work, all the personal
> Internet Security software I'm aware of allows you to opt out
> on a site-by-site basis. If you want (or have) to use a
> particular site, such as your bank's Internet Banking, the
> bank is the 800 lb gorilla in the relationship.
Kind of, it depends on your relationship with the bank, some people
may choose other banks due to a dislike of others' systems.
> Remember the days when we used to regularly block cookies?
> They're gone.
> People accept that to use a site requires trading a little something.
> Referer is far from a perfect control, but it's easy and
> stops someone who has no idea from abusing your app.
But who is this person? Who would do such a thing? Who's your attacker here?
Joe ScriptKiddie that has downloaded a tool that automatically does
the referer anyway? He doesn't care.
Or Joe AdvancedHacker who know's what he's doing a little bit, sees
the referer problem, and fixes it.
> Other checks which actually work are the main reason we work
> so hard on good session management. If you have four good
> controls and one so-so control (which does work against
> simple attacks), it's still better than four good controls.
> Defense in depth.
Of course, it's nice, and good, but the problem is disallowing a
legitimate user. Thats bad, obviously.
My only point is that it's so trivially spoofed that why bother at
all? All you do is add more code that your programmers can potentially
bugger up and have to maintain.
More information about the Owasp-guide