By using this site, you agree to our updated Privacy Policy and our Terms of Use. Manage your Cookies Settings.
434,586 Members | 992 Online
Bytes IT Community
+ Ask a Question
Need help? Post your question and get tips & solutions from a community of 434,586 IT Pros & Developers. It's quick & easy.

html referrer spoofing

P: n/a
i would like to make a page thats only accessible from a certain website.
so i did this

if
(HttpContext.Current.Request.UrlReferrer.ToString( ).Trim().StartsWith(http:/
/www.approveddomain.com))

method();//access page

else

accessdenied();

--------------

did i do this right? i know there are programs out there that can spoof http
referrer would my code still work?

ie.spoofed url

http://www.hacker.com/@http://www.approveddomain.com

i need to make sure my code works 100% of the time.

Thanks

Aaron
Jul 21 '05 #1
Share this Question
Share on Google+
1 Reply


P: n/a
Well, all it would take is for somebody to write to the headers, and your
security has been defeated. Do you have any control over this other site? If
so, then you can have that site set some variable somewhere that your target
site goes in and reads. For example, it could generate a new GUID, store
this in a database, and then add it to the querystring. The target site can
then read this GUID, compare it to the database, and then clear the
database. If you need to be absolutely guaranteed that the user hasn't
modified the headers somehow, then you have to store something on your end
that the user/attacker can not get to.

--
Chris Jackson
Software Engineer
Microsoft MVP - Windows Client
Windows XP Associate Expert
--
More people read the newsgroups than read my email.
Reply to the newsgroup for a faster response.
(Control-G using Outlook Express)
--

"Aaron" <ku*****@yahoo.com> wrote in message
news:eB**************@TK2MSFTNGP12.phx.gbl...
i would like to make a page thats only accessible from a certain website.
so i did this

if
(HttpContext.Current.Request.UrlReferrer.ToString( ).Trim().StartsWith(http:/
/www.approveddomain.com))

method();//access page

else

accessdenied();

--------------

did i do this right? i know there are programs out there that can spoof
http
referrer would my code still work?

ie.spoofed url

http://www.hacker.com/@http://www.approveddomain.com

i need to make sure my code works 100% of the time.

Thanks

Aaron

Jul 21 '05 #2

This discussion thread is closed

Replies have been disabled for this discussion.