[thelist] Worried...please help
Koutoulas, Pete
PKOUTOUL at Fayette.k12.ky.us
Wed Jun 18 07:21:56 CDT 2003
On Tuesday, June 17, 2003 11:49 PM, Ken Schaefer wrote:
> Steve's code won't actually do anything to prevent the problem, since
> Request.ServerVariables("Local_Addr") will always be the IP address
> that the website is bound to.
>
> Pete's point, as far as I can tell, is incorrect. The
> Request.ServerVariables("Local_Addr") is populated internally on the
> webserver, and doesn't rely on information posted by the browser. I'm
> not sure how there's a trivial to "spoof" this.
Ken is correct. I read the original post too quickly, thinking that he was
getting the referrer (Request.ServerVariables("HTTP_REFERER")) which in
theory would have been correct. My point was that HTTP Referrer *is* in fact
easy to spoof and this was a very common way of getting around primitive
form-processing script restrictions in the past. Sorry for the confusion.
<tip type="security" author="Pete Koutoulas">Novice web programmers often
find it tempting to rely on the HTTP referrer header -- accessed in ASP for
example as Request.ServerVariables("HTTP_REFERER"). Since this header is
supposed to contain the URL of the referring page (the page containing the
form to be processed) it seems like a simple way to ensure that the form was
not tampered with. In truth, because the HTTP referrer header is generated
by the client, it is a simple matter for a malicious user with the right
tools to spoof the header, thus rendering the protection scheme useless.
More information about this and other similar issues is available in the
document "A guide to building secure web applications" available at
http://www.owasp.org. </tip>
___________________________________
Pete Koutoulas, Website Manager
Fayette County Public Schools
701 E. Main Street
Lexington, KY 40502
Voice (859) 381-4138
Fax (859) 381-4763
webmaster at fcps.net
www.fcps.net
This student or staff email originated from Fayette County Public Schools in
Lexington, KY.
Please report instances of abuse or inappropriate content to
postmaster at fayette.k12.ky.us
More information about the thelist
mailing list