Posted by Jerry Stuckle on 03/10/06 20:33

Chung Leong wrote:
> Jerry Stuckle wrote:
>
>>In addition to what Justin said - if someone DOES want to spoof your
>>site, they will set HTTP_REFERER to your site. That check is worthless.
>
>
> I think you misunderstand the problem. Here's how an
> auto-form-submission attack works:
>
> 1. Victim logs into site A
> 2. Victim is fooled into going to site B
> 3. Page at site B has a prefilled form targetting a script at site A.
> Through Javascript the form is submitted without any intervention from
> the victim.
> 4. The POST request arrives at site A and is processed as though the
> victim has filled and submitted.
>
> The solution proposed by the OP would stop this type of attacks but it
> has to be implemented on every form. A check on the referer header
> offers incomplete protection but can be easily implemented as a global
> check.
>
> In this scenario, it's the victim's computer which is making the POST,
> thus spoofing isn't a real concern.
>

I know *exactly* how auto-form-submission works. In fact, from your
posts here I expect I know a lot more about it than you do. I've been
in this field too many years. What you describe is only *one way* it can
happen. And it's not even the most common.

Much more common or 'bots which fake the user and post forms. They can
set anything they want in the headers, including HTTP_REFERER.

Another way is to act as a kind of proxy - intercepting the data as it
flows between the user and the site, changing the HTTP_REFERER and
anything else they want (unless you're using SSL).

And this is only the beginning of the number of ways it can be spoofed.
It is NOT a reliable source of information!


--
==================
Remove the "x" from my email address
Jerry Stuckle
JDS Computer Training Corp.
jstucklex@attglobal.net
==================

[Back to original message]