html referrer spoofing

Discussion in 'ASP .Net' started by Aaron, Jan 25, 2004.

  1. Aaron

    Aaron Guest

    i would like to make a page thats only accessible from a certain website.
    so i did this

    if
    (HttpContext.Current.Request.UrlReferrer.ToString().Trim().StartsWith(http:/
    /www.approveddomain.com))

    method();//access page

    else

    accessdenied();

    --------------

    did i do this right? i know there are programs out there that can spoof http
    referrer would my code still work?

    ie.spoofed url

    http://www.hacker.com/@http://www.approveddomain.com

    i need to make sure my code works 100% of the time.



    Thanks

    Aaron
     
    Aaron, Jan 25, 2004
    #1
    1. Advertising

  2. Well, all it would take is for somebody to write to the headers, and your
    security has been defeated. Do you have any control over this other site? If
    so, then you can have that site set some variable somewhere that your target
    site goes in and reads. For example, it could generate a new GUID, store
    this in a database, and then add it to the querystring. The target site can
    then read this GUID, compare it to the database, and then clear the
    database. If you need to be absolutely guaranteed that the user hasn't
    modified the headers somehow, then you have to store something on your end
    that the user/attacker can not get to.

    --
    Chris Jackson
    Software Engineer
    Microsoft MVP - Windows Client
    Windows XP Associate Expert
    --
    More people read the newsgroups than read my email.
    Reply to the newsgroup for a faster response.
    (Control-G using Outlook Express)
    --

    "Aaron" <> wrote in message
    news:...
    >i would like to make a page thats only accessible from a certain website.
    > so i did this
    >
    > if
    > (HttpContext.Current.Request.UrlReferrer.ToString().Trim().StartsWith(http:/
    > /www.approveddomain.com))
    >
    > method();//access page
    >
    > else
    >
    > accessdenied();
    >
    > --------------
    >
    > did i do this right? i know there are programs out there that can spoof
    > http
    > referrer would my code still work?
    >
    > ie.spoofed url
    >
    > http://www.hacker.com/@http://www.approveddomain.com
    >
    > i need to make sure my code works 100% of the time.
    >
    >
    >
    > Thanks
    >
    > Aaron
    >
    >
     
    Chris Jackson, Jan 26, 2004
    #2
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. CW
    Replies:
    1
    Views:
    521
    John Saunders
    May 3, 2004
  2. Hugo
    Replies:
    5
    Views:
    2,385
    Mark Space
    Jun 5, 2008
  3. Mufasa
    Replies:
    4
    Views:
    772
    Mufasa
    Sep 19, 2008
  4. George Durzi

    Spoofing Outlook Web Access cookie

    George Durzi, Sep 18, 2003, in forum: ASP .Net Security
    Replies:
    0
    Views:
    192
    George Durzi
    Sep 18, 2003
  5. Rod Hilton

    Referrer Spoofing in Javascript?

    Rod Hilton, Oct 8, 2004, in forum: Javascript
    Replies:
    11
    Views:
    268
    John Bokma
    Oct 10, 2004
Loading...

Share This Page