[Mimedefang] OT: Email web form exploits
Matthew.van.Eerde at hbinc.com
Matthew.van.Eerde at hbinc.com
Fri Sep 9 13:06:09 EDT 2005
Kelson wrote:
> James Ebright wrote:
>> Check the URI referrer and only allow the web form to be hit FROM
>> the URLS that it should be linked to otherwise simply return an
>> error similar to unauthorized access attempt....
>
> Not sufficient. These are being done using direct hits to port 80,
> not actual web browsers, so the attacking script can set whatever
> referrer it wants.
>
> I already had referer checks on all the forms that I saw get hit by
> these probes.
Set a session variable on the page load and place it in a hidden input.
On the form action, compare the session variable to the received input. If they match, fine. If not, something's up.
What to do about session timeouts, though... hmm... Maybe a 1x1 iframe with an HTTP Refresh header could keep the session alive so long as the browser is on the page...
If all else fails there's always CAPTCHA.
--
Matthew.van.Eerde (at) hbinc.com 805.964.4554 x902
Hispanic Business Inc./HireDiversity.com Software Engineer
More information about the MIMEDefang
mailing list