A
Alan Silver
Hello,
Reading articles on the various forms of attack that people try against
web sites, it seems that a lot of them involve people modifying a page
and posting it back to the server. Thus, if you had some way of checking
(on postback) if the postback had come from the server on which the page
is running, you would be a long way to avoiding these attacks.
For example, if you could have (pseudocode)...
void Page_Load(object o, event e) {
if (!FromMyServer) {
// display message "Don't try and hack my site!!" or similar
} else if (!PostBack) {
// initialise controls, etc
}
}
Offhand, the only way I can think of doing such a check is from the
HTTP_REFERER server variable, but as that is pretty easy to hack, it
doesn't really help.
Any comments?
Reading articles on the various forms of attack that people try against
web sites, it seems that a lot of them involve people modifying a page
and posting it back to the server. Thus, if you had some way of checking
(on postback) if the postback had come from the server on which the page
is running, you would be a long way to avoiding these attacks.
For example, if you could have (pseudocode)...
void Page_Load(object o, event e) {
if (!FromMyServer) {
// display message "Don't try and hack my site!!" or similar
} else if (!PostBack) {
// initialise controls, etc
}
}
Offhand, the only way I can think of doing such a check is from the
HTTP_REFERER server variable, but as that is pretty easy to hack, it
doesn't really help.
Any comments?