Velocity Reviews - Computer Hardware Reviews

Velocity Reviews > Newsgroups > Computing > Computer Security > referrer spoofing protection

Reply
Thread Tools

referrer spoofing protection

 
 
kops
Guest
Posts: n/a
 
      05-30-2007
Is there any way I can protect my site from people using zspoof /
supermegaspoof etc. to spoof the referrer header?

Any help much appreciated,

Thanks, Jon.


 
Reply With Quote
 
 
 
 
Sebastian G.
Guest
Posts: n/a
 
      05-30-2007
kops wrote:

> Is there any way I can protect my site from people using zspoof /
> supermegaspoof etc. to spoof the referrer header?



Beside that I never heared of this weird stuff (any normal person would use
the refspoof extension for Mozilla, the referer form field in his download
manager, or wget --referer=), the obvious answer is NO.

From the view of your server, there's absolutely no difference between a
normal HTTP request with the correct Referer field being set by the
webbrowser due to actual reference, and a crafted field being set by anyone
else with knowledge the intended reference.
 
Reply With Quote
 
 
 
 
kops
Guest
Posts: n/a
 
      05-30-2007
"Sebastian G." <(E-Mail Removed)> wrote in message
news:(E-Mail Removed)...
> kops wrote:
>
>> Is there any way I can protect my site from people using zspoof /
>> supermegaspoof etc. to spoof the referrer header?

>
>
> Beside that I never heared of this weird stuff (any normal person would
> use the refspoof extension for Mozilla, the referer form field in his
> download manager, or wget --referer=), the obvious answer is NO.
>
> From the view of your server, there's absolutely no difference between a
> normal HTTP request with the correct Referer field being set by the
> webbrowser due to actual reference, and a crafted field being set by
> anyone else with knowledge the intended reference.


Hi Sebastian and thanks for the response. While it might be obvious to you,
it isn't to me so please bear with me

So from what I understand, the only way around this if I have a ring of
sites would be to ask each user to authenticate seperately at each site
rather than using the referral method?

Thanks again,

jon


 
Reply With Quote
 
Sebastian G.
Guest
Posts: n/a
 
      05-30-2007
kops wrote:


> So from what I understand, the only way around this if I have a ring of
> sites would be to ask each user to authenticate seperately at each site
> rather than using the referral method?


I don't understand what you mean. Referrers are an open secret to anyone who
has already been authenticated somewhere, and can be transferred freely
among users. Passwords and any other kind of authentication are essentially
the same, any user can post them publicly so other can gain access to the site.

I think your problem is that your referrers are
a) easily guessed
b) not properly validated
c) not valuable to any authenticated user
 
Reply With Quote
 
Ertugrul Soeylemez
Guest
Posts: n/a
 
      05-30-2007
"kops" <(E-Mail Removed)> (07-05-30 12:40:05):

> Is there any way I can protect my site from people using zspoof /
> supermegaspoof etc. to spoof the referrer header?


Not through the Referrer field itself. You need to somehow encode the
referring page URI into the request, and you need to do this properly.
This means that all pages need to be dynamically generated, and all
references in the pages need to be rewritten to include something like
"ref=PAGE-ID" in the query string part.

Technically that's easy to accomplish (e.g. using Apache's mod_perl),
but it will only work around Referrer spoofing. It will not prevent the
user from spoofing the `ref' query field itself, or just typing in the
URL in question manually.

Further beware of bookmarking or `URL pasting'. You will get wrong
things logged. To overcome this, you could use POST instead of GET, but
that's the wrong way to go, because POST is not intended to be used for
such purposes. And it would only work in forms, which is bad, too.

If you place such an importantance into the knowledge of the Referrer,
then you have to force every user to register and login, and use
cryptographical methods. I cannot imagine any scenario, where such an
overkill is necessary.

By the way, both methods I presented here are intra-site methods. They
will not work for inter-site references, unless the remote site
implements the same scheme.

In other words, don't rely on the Referrer at all. Live with the fact
that it can be spoofed, because you can't prevent it reliably. For
things like ad-click counters, encode the corresponding information in
the URI, but don't rely on Referrers or home-grown techniques.


Regards,
Ertugrul Söylemez.


--
Security is the one concept, which makes things in your life stay as
they are. Otto is a man, who is afraid of changes in his life; so
naturally he does not employ security.
 
Reply With Quote
 
kops
Guest
Posts: n/a
 
      05-31-2007
Thank you both for your help


 
Reply With Quote
 
 
 
Reply

Thread Tools

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Trackbacks are On
Pingbacks are On
Refbacks are Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
copy protection / IP protection g Java 69 04-25-2006 04:10 PM
Referrer Spoofing in Javascript? Rod Hilton Javascript 11 10-10-2004 06:53 PM
html referrer spoofing Aaron ASP .Net 1 01-26-2004 09:16 PM
Get referrer URL Harley ASP .Net 0 07-24-2003 06:07 AM



Advertisments