[OWASP-GUIDE] Guide status / Administrivia: Mail list is now member only

Andrew van der Stock vanderaj at greebo.net
Thu Jul 14 21:11:24 EDT 2005


Referer fields are notorious. They have their place as a bar raising  
exercise only. But saying that, most phishers have yet to move on,  
and I'd rather people use a weak control instead of no control.

Happy to take revised text as long as it doesn't slam referrer fields.

Andrew

On 14/07/2005, at 6:40 PM, smille at skynet.be wrote:

> I'm currently going over some chapters and noticed some errors in  
> section 8.3.8 (Owasp  2.0 Beta).
>
> Referrer checks do _not_ close of emails as attack vector. It is  
> extremely easy to forge a referrer header (even from email, just  
> some javascript necessary).
>
> And the same goes for the statement 'a hostile site can not force a  
> user's browser to send forged referrer headers'.
>
> Yes it can :). Just look at what one can do with the XMLHTTPrequest  
> object (Active X in IE, buildin into Mozilla and others)
>
> I'm willing to rewrite those statements (and provide proof-of- 
> concept).
>
> Referrer checks are good, but offer no full protection. They  
> 'raise' the stakes a bit, which is ofcourse good. And if referrer  
> 'anomalies' are logged and monitored, maybe early detection of a  
> hack attempt is possible.
>
> Sincerely,
>
> Herman
>
>
> Hi there,The mail list will now only accept messages from your  
> registered e- mail address. If you post from different e-mail  
> addresses, please be aware there will a delay between you  
> submitting your posts and my approving on topic posts. This should  
> eliminate spam to this list.--On Guide news, we have had several  
> chapters submitted by various people which is helping to close out  
> the Guide. However, it came to my attention that not everyone has  
> Gill Sans and it printed very badly, so I brought forward the re- 
> formatting task which I had planned for the post-conference bliss.  
> The next edition will look somewhat different to the Gill Sans font  
> I had in b1.These are chapters I need help in completing:*  
> Configuration* Deployment* How to conduct a code review (please  
> review the threat modelling stuff if you write this chapter)* US  
> Privacy laws - I have EU and AU privacy covered off thanks to Raoul  
> Endres. This is literally a paragraph or two at most and is a nice  
> easy way to ease i! nto Guide development.* Buffer overflows*  
> Distributed processing (transactions, time of check / time of use,  
> synchronization / threading issues, race conditions, deadlocks)If I  
> don't get any volunteers, these chapters will be kept for 2.1 due  
> in  
> November.thanks,Andrew------------------------------------------------ 
> -------This SF.Net email is sponsored by the 'Do More With Dual!'  
> webinar happeningJuly 14 at 8am PDT/11am EDT. We invite you to  
> explore the latest in dualcore and dual graphics technology at this  
> free one hour event hosted by HP, AMD, and NVIDIA. To register  
> visit http://www.hp.com/go/ 
> dualwebinar_______________________________________________Owasp- 
> guide mailing listOwasp-guide at lists.sourceforge.nethttps:// 
> lists.sourceforge.net/lists/listinfo/owasp-guide
>
>





More information about the Owasp-guide mailing list