NYCPHP Meetup

NYPHP.org

[nycphp-talk] PHP Pentration Discussion

Adam Maccabee Trachtenberg adam at trachtenberg.com
Sat May 28 10:56:10 EDT 2005


On Sat, 28 May 2005, Jon Niola wrote:

> Thinking about that article I was wondering, why not just check the
> HTTP_REFERER to make sure the form is being submitted from server as
> opposed to someone storing it locally and editing vars?
>
> Might not be too bad an idea for us to put together a security page
> with best practices, do's and don't etc. It would be a valuable
> resource for even the seasoned coders. Some of the best coders I know
> take security for granted.

I don't mean to be rude, but if you really think checking HTTP_REFERER
is a good way to protect against this type of attack, you probably
shouldn't be working on a security "best practices" page.

This value is easily spoofed because an attacker can manually set the
HTTP header herself and the value is easily known. See
http://shiflett.org/archive/96.

-adam

-- 
adam at trachtenberg.com | http://www.trachtenberg.com
author of o'reilly's "upgrading to php 5" and "php cookbook"
avoid the holiday rush, buy your copies today!



More information about the talk mailing list