Re: ASP.net { or any web application } security
- From: Dominick Baier <dbaier@xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx>
- Date: Wed, 18 Apr 2007 15:46:02 +0000 (UTC)
Hi,
yes this is easily possible - have a look at www.fiddlertool.com
-----
Dominick Baier (http://www.leastprivilege.com)
Developing More Secure Microsoft ASP.NET 2.0 Applications (http://www.microsoft.com/mspress/books/9989.asp)
what i meanis:
do you know "REFERRER" key in any http header ? it tell the server
from
whcih URI that request was redirected.
for example
you are in Page1.aspx & click on link that will navigate you to
page2.aspx.
check the Request.Headers["Referrer"] in the load event of Page2.aspx,
you
find the value of URI Page1.aspx.
in that way , you can detect from where your requests are coming ?
from inside your application ? or from another sites or local copies.
my question is, can the attacker change this Referrer manually so he
can fake this validation ? like what happen in phishing for example.
I hope this is was clear
"Dominick Baier" wrote:
by the way, i have another question to you, as security expert, canwhat do you mean?
any tool, or application , or technology ..etc change the "http
refferer" for any http header request ??
-----
Dominick Baier (http://www.leastprivilege.com)
Developing More Secure Microsoft ASP.NET 2.0 Applications
(http://www.microsoft.com/mspress/books/9989.asp)
hi Dominick
thank for your reply, i already think of your idea, which producing
Token &
expiry time. but i don't think this will solve the problem. for
example you
set the expiry as 1 min. for every request. then the hacker can save
the html
& replace what ever he want within 1 min & submit it back. you got
me
?
also, think of big & huge forms to fill, the user may not finish
filling the
forms withen that expiry time, so his submit will fail !
by the way, i have another question to you, as security expert, can
any tool, or application , or technology ..etc change the "http
refferer" for any http header request ??
Thanks in Advance
Bashar
Well - you could generate one-time IDs that are only valid for a
short period of time - you could append these to links as a query
string.
An HttpModule could check the appended IDs for validity...
-----
Dominick Baier (http://www.leastprivilege.com)
Developing More Secure Microsoft ASP.NET 2.0 Applications
(http://www.microsoft.com/mspress/books/9989.asp)
Hi all,
I'm wondering how can i prevent this scenario:
I have asp.net application , not using any kind of asp.net
secuirty models [ neither Windows Nor Forms Auth]. Client can save
a complete copy of the web site locally, he can change any
Javascript funciton , then chnage the Action attribute in the form
tag to point to the same page again, & it will submit .
My question is: i want to access my website only within my web
site
links or
requests, i don't want to accept the previous scenario, also i
don't
want to
accept any custom http request come out of my internal web site.
i can't depend on HTTP Reffer , because it's easily can be change
through
http sniffing tools or Packets editor tools.
any Advice ???
Bashar
.
- References:
- Re: ASP.net { or any web application } security
- From: Bashar Naffa
- Re: ASP.net { or any web application } security
- Prev by Date: Re: ASP.net { or any web application } security
- Next by Date: Re: Login Security for Intranet/Internet application
- Previous by thread: Re: ASP.net { or any web application } security
- Next by thread: Re: Login Security for Intranet/Internet application
- Index(es):
Relevant Pages
|
