html referrer spoofing

Discussion in 'ASP .Net' started by Aaron, Jan 25, 2004.

  1. Aaron

    Aaron Guest

    i would like to make a page thats only accessible from a certain website.
    so i did this

    if
    (HttpContext.Current.Request.UrlReferrer.ToString().Trim().StartsWith(http:/
    /www.approveddomain.com))

    method();//access page

    else

    accessdenied();

    --------------

    did i do this right? i know there are programs out there that can spoof http
    referrer would my code still work?

    ie.spoofed url

    http://www.hacker.com/@http://www.approveddomain.com

    i need to make sure my code works 100% of the time.



    Thanks

    Aaron
     
    Aaron, Jan 25, 2004
    #1
    1. Advertisements

  2. Well, all it would take is for somebody to write to the headers, and your
    security has been defeated. Do you have any control over this other site? If
    so, then you can have that site set some variable somewhere that your target
    site goes in and reads. For example, it could generate a new GUID, store
    this in a database, and then add it to the querystring. The target site can
    then read this GUID, compare it to the database, and then clear the
    database. If you need to be absolutely guaranteed that the user hasn't
    modified the headers somehow, then you have to store something on your end
    that the user/attacker can not get to.

    --
    Chris Jackson
    Software Engineer
    Microsoft MVP - Windows Client
    Windows XP Associate Expert
    --
    More people read the newsgroups than read my email.
    Reply to the newsgroup for a faster response.
    (Control-G using Outlook Express)
    --

    "Aaron" <> wrote in message
    news:...
    >i would like to make a page thats only accessible from a certain website.
    > so i did this
    >
    > if
    > (HttpContext.Current.Request.UrlReferrer.ToString().Trim().StartsWith(http:/
    > /www.approveddomain.com))
    >
    > method();//access page
    >
    > else
    >
    > accessdenied();
    >
    > --------------
    >
    > did i do this right? i know there are programs out there that can spoof
    > http
    > referrer would my code still work?
    >
    > ie.spoofed url
    >
    > http://www.hacker.com/@http://www.approveddomain.com
    >
    > i need to make sure my code works 100% of the time.
    >
    >
    >
    > Thanks
    >
    > Aaron
    >
    >
     
    Chris Jackson, Jan 26, 2004
    #2
    1. Advertisements

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. CW
    Replies:
    1
    Views:
    624
    John Saunders
    May 3, 2004
  2. Hugo
    Replies:
    5
    Views:
    3,499
    Mark Space
    Jun 5, 2008
  3. Mufasa
    Replies:
    4
    Views:
    917
    Mufasa
    Sep 19, 2008
  4. George Durzi

    Spoofing Outlook Web Access cookie

    George Durzi, Sep 18, 2003, in forum: ASP .Net Security
    Replies:
    0
    Views:
    278
    George Durzi
    Sep 18, 2003
  5. Matt

    spoofing in asp

    Matt, Jan 22, 2004, in forum: ASP General
    Replies:
    3
    Views:
    248
    Jeff Cochran
    Jan 22, 2004
  6. Rod Hilton

    Referrer Spoofing in Javascript?

    Rod Hilton, Oct 8, 2004, in forum: Javascript
    Replies:
    11
    Views:
    460
    John Bokma
    Oct 10, 2004
  7. mickey
    Replies:
    2
    Views:
    227
    Thomas 'PointedEars' Lahn
    Dec 15, 2005
  8. VK
    Replies:
    74
    Views:
    718
    Randy Webb
    Apr 30, 2006
Loading...