|
Posted by kops on May 30, 2007, 8:40 am
If you were Registered and logged in, you could reply and use other advanced thread options
Is there any way I can protect my site from people using zspoof /
supermegaspoof etc. to spoof the referrer header?
Any help much appreciated,
Thanks, Jon.
|
|
Posted by Sebastian G. on May 30, 2007, 9:05 am
If you were Registered and logged in, you could reply and use other advanced thread options
kops wrote:
> Is there any way I can protect my site from people using zspoof /
> supermegaspoof etc. to spoof the referrer header?
Beside that I never heared of this weird stuff (any normal person would use
the refspoof extension for Mozilla, the referer form field in his download
manager, or wget --referer=), the obvious answer is NO.
From the view of your server, there's absolutely no difference between a
normal HTTP request with the correct Referer field being set by the
webbrowser due to actual reference, and a crafted field being set by anyone
else with knowledge the intended reference.
|
|
Posted by kops on May 30, 2007, 10:13 am
If you were Registered and logged in, you could reply and use other advanced thread options > kops wrote:
>
>> Is there any way I can protect my site from people using zspoof /
>> supermegaspoof etc. to spoof the referrer header?
>
>
> Beside that I never heared of this weird stuff (any normal person would
> use the refspoof extension for Mozilla, the referer form field in his
> download manager, or wget --referer=), the obvious answer is NO.
>
> From the view of your server, there's absolutely no difference between a
> normal HTTP request with the correct Referer field being set by the
> webbrowser due to actual reference, and a crafted field being set by
> anyone else with knowledge the intended reference.
Hi Sebastian and thanks for the response. While it might be obvious to you,
it isn't to me so please bear with me :)
So from what I understand, the only way around this if I have a ring of
sites would be to ask each user to authenticate seperately at each site
rather than using the referral method?
Thanks again,
jon
|
|
Posted by Sebastian G. on May 30, 2007, 10:36 am
If you were Registered and logged in, you could reply and use other advanced thread options
> So from what I understand, the only way around this if I have a ring of
> sites would be to ask each user to authenticate seperately at each site
> rather than using the referral method?
I don't understand what you mean. Referrers are an open secret to anyone who
has already been authenticated somewhere, and can be transferred freely
among users. Passwords and any other kind of authentication are essentially
the same, any user can post them publicly so other can gain access to the site.
I think your problem is that your referrers are
a) easily guessed
b) not properly validated
c) not valuable to any authenticated user
|
|
Posted by Ertugrul Soeylemez on May 30, 2007, 2:01 pm
If you were Registered and logged in, you could reply and use other advanced thread options
> Is there any way I can protect my site from people using zspoof /
> supermegaspoof etc. to spoof the referrer header?
Not through the Referrer field itself. You need to somehow encode the
referring page URI into the request, and you need to do this properly.
This means that all pages need to be dynamically generated, and all
references in the pages need to be rewritten to include something like
"ref=3DPAGE-ID" in the query string part.
Technically that's easy to accomplish (e.g. using Apache's mod_perl),
but it will only work around Referrer spoofing. It will not prevent the
user from spoofing the `ref' query field itself, or just typing in the
URL in question manually.
Further beware of bookmarking or `URL pasting'. You will get wrong
things logged. To overcome this, you could use POST instead of GET, but
that's the wrong way to go, because POST is not intended to be used for
such purposes. And it would only work in forms, which is bad, too.
If you place such an importantance into the knowledge of the Referrer,
then you have to force every user to register and login, and use
cryptographical methods. I cannot imagine any scenario, where such an
overkill is necessary.
By the way, both methods I presented here are intra-site methods. They
will not work for inter-site references, unless the remote site
implements the same scheme.
In other words, don't rely on the Referrer at all. Live with the fact
that it can be spoofed, because you can't prevent it reliably. For
things like ad-click counters, encode the corresponding information in
the URI, but don't rely on Referrers or home-grown techniques.
Regards,
Ertugrul S=C3=B6ylemez.
--=20
Security is the one concept, which makes things in your life stay as
they are. Otto is a man, who is afraid of changes in his life; so
naturally he does not employ security.
|
| Similar Threads | Posted | | Stopping the server from logging the referrer | July 31, 2006, 5:40 pm |
| Spoofing "TO" Address in email | November 18, 2005, 5:16 pm |
| spoofing the e-mail address | March 28, 2006, 2:12 am |
| udp flood protection | July 18, 2005, 1:20 pm |
| Win Xp dlt/fornat & BIOS protection | August 9, 2005, 7:33 pm |
| REVIEW: "Always Use Protection", Dan Appleman | December 14, 2005, 1:58 pm |
| software protection techniques | February 11, 2006, 6:05 am |
| Software copy protection | March 1, 2006, 5:12 am |
| norton protection centre | June 17, 2006, 3:10 am |
| Digital Download Protection | October 20, 2006, 7:21 am |
|
XML site map