[OWASP-GUIDE] Guide status / Administrivia: Mail list is now member only

smille at skynet.be smille at skynet.be
Thu Jul 14 04:40:42 EDT 2005


I'm currently going over some chapters and noticed some errors in section 8.3.8 (Owasp  2.0 Beta).

Referrer checks do _not_ close of emails as attack vector. It is extremely easy to forge a referrer header (even from email, just some javascript necessary).

And the same goes for the statement 'a hostile site can not force a user's browser to send forged referrer headers'.

Yes it can :). Just look at what one can do with the XMLHTTPrequest object (Active X in IE, buildin into Mozilla and others) 

I'm willing to rewrite those statements (and provide proof-of-concept).

Referrer checks are good, but offer no full protection. They 'raise' the stakes a bit, which is ofcourse good. And if referrer 'anomalies' are logged and monitored, maybe early detection of a hack attempt is possible.  

Sincerely,

Herman




Hi there,The mail list will now only accept messages from your registered e- mail address. If you post from different e-mail addresses, please be aware there will a delay between you submitting your posts and my approving on topic posts. This should eliminate spam to this list.--On Guide news, we have had several chapters submitted by various people which is helping to close out the Guide. However, it came to my attention that not everyone has Gill Sans and it printed very badly, so I brought forward the re-formatting task which I had planned for the post-conference bliss. The next edition will look somewhat different to the Gill Sans font I had in b1.These are chapters I need help in completing:* Configuration* Deployment* How to conduct a code review (please review the threat modelling stuff if you write this chapter)* US Privacy laws - I have EU and AU privacy covered off thanks to Raoul Endres. This is literally a paragraph or two at most and is a nice easy way to ease i!
 nto
Guide development.* Buffer overflows* Distributed processing (transactions, time of check / time of use, synchronization / threading issues, race conditions, deadlocks)If I don't get any volunteers, these chapters will be kept for 2.1 due in November.thanks,Andrew-------------------------------------------------------This SF.Net email is sponsored by the 'Do More With Dual!' webinar happeningJuly 14 at 8am PDT/11am EDT. We invite you to explore the latest in dualcore and dual graphics technology at this free one hour event hosted by HP, AMD, and NVIDIA. To register visit http://www.hp.com/go/dualwebinar_______________________________________________Owasp-guide mailing listOwasp-guide at lists.sourceforge.nethttps://lists.sourceforge.net/lists/listinfo/owasp-guide
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.owasp.org/pipermail/owasp-guide/attachments/20050714/9ee2f533/attachment.html 


More information about the Owasp-guide mailing list