[OWASP-GUIDE] Guide status / Administrivia: Mail list is now member only
Andrew van der Stock
vanderaj at greebo.net
Thu Jul 14 21:11:24 EDT 2005
Referer fields are notorious. They have their place as a bar raising
exercise only. But saying that, most phishers have yet to move on,
and I'd rather people use a weak control instead of no control.
Happy to take revised text as long as it doesn't slam referrer fields.
On 14/07/2005, at 6:40 PM, smille at skynet.be wrote:
> I'm currently going over some chapters and noticed some errors in
> section 8.3.8 (Owasp 2.0 Beta).
> Referrer checks do _not_ close of emails as attack vector. It is
> extremely easy to forge a referrer header (even from email, just
> And the same goes for the statement 'a hostile site can not force a
> user's browser to send forged referrer headers'.
> Yes it can :). Just look at what one can do with the XMLHTTPrequest
> object (Active X in IE, buildin into Mozilla and others)
> I'm willing to rewrite those statements (and provide proof-of-
> Referrer checks are good, but offer no full protection. They
> 'raise' the stakes a bit, which is ofcourse good. And if referrer
> 'anomalies' are logged and monitored, maybe early detection of a
> hack attempt is possible.
> Hi there,The mail list will now only accept messages from your
> registered e- mail address. If you post from different e-mail
> addresses, please be aware there will a delay between you
> submitting your posts and my approving on topic posts. This should
> eliminate spam to this list.--On Guide news, we have had several
> chapters submitted by various people which is helping to close out
> the Guide. However, it came to my attention that not everyone has
> Gill Sans and it printed very badly, so I brought forward the re-
> formatting task which I had planned for the post-conference bliss.
> The next edition will look somewhat different to the Gill Sans font
> I had in b1.These are chapters I need help in completing:*
> Configuration* Deployment* How to conduct a code review (please
> review the threat modelling stuff if you write this chapter)* US
> Privacy laws - I have EU and AU privacy covered off thanks to Raoul
> Endres. This is literally a paragraph or two at most and is a nice
> easy way to ease i! nto Guide development.* Buffer overflows*
> Distributed processing (transactions, time of check / time of use,
> synchronization / threading issues, race conditions, deadlocks)If I
> don't get any volunteers, these chapters will be kept for 2.1 due
> -------This SF.Net email is sponsored by the 'Do More With Dual!'
> webinar happeningJuly 14 at 8am PDT/11am EDT. We invite you to
> explore the latest in dualcore and dual graphics technology at this
> free one hour event hosted by HP, AMD, and NVIDIA. To register
> visit http://www.hp.com/go/
> guide mailing listOwasp-guide at lists.sourceforge.nethttps://
More information about the Owasp-guide