[OWASP-GUIDE] OWASP Guide 2.0a4 available

Adrian Wiesmann awiesmann at swordlord.org
Wed Feb 16 03:01:22 EST 2005

>> Remember the days when we used to regularly block cookies?
>> They're gone.

No they are not. Some use the feature "make every cookie a temporary one"
in their browsers. Others disable the cookies completely. (It's a good
information gathering technique to disable cookies and HTTP headers at the
client btw. Works on many sites. When they crash because they expect some
header they normaly send detailed error reports to the client.)

> Joe ScriptKiddie that has downloaded a tool that automatically does
> the referer anyway? He doesn't care.
> Or Joe AdvancedHacker who know's what he's doing a little bit, sees
> the referer problem, and fixes it.

I see it like a good way to annoy legitimate users which do not like to
share too much data with the site. The question as a sites owner is, if
you want to annoy some of your users.

> My only point is that it's so trivially spoofed that why bother at
> all? All you do is add more code that your programmers can potentially
> bugger up and have to maintain.

That is another aspect which was not discussed before: The implementation
of the referer check could be faulty. What happens if the referer check is
wrong so that the text within the referer is interpreted or can somehow
mess with the program? (And looking at some sites history of messing with
HTTP headers I guess it is only a question of time that such an error will
be exploited.) I think the negative effects on such a "security" check are
bigger than the positive effects and should therefore not be implemented.


More information about the Owasp-guide mailing list