|
Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com |
Subject: Re: recent 'cross site scripting' CERT advisory
From: Gregory Steuck (greg
NEST.CX)Date: Wed Feb 09 2000 - 01:52:07 CST
- Next message: Thomas Biege: "(no subject)"
- Previous message: Swift Griggs: "Re: Statistical Attack Against Virtual Banks"
- Maybe reply: Gregory Steuck: "Re: recent 'cross site scripting' CERT advisory"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
>>>>> "Henri" == Henri Torgemane <metal_hurlantYAHOO.COM> writes:
Henri> But if it is done right (i.e.: you're explicitely specifying
Henri> which files don't need a REFERRER check, rather than trying
Henri> to keep a list of every script that needs it), I believe it
Henri> can provide instant CSS protection without having to audit
Henri> all these server scripts right away.
While we are at it, let's not forget that Referer is a privacy breach on
it own. And those who use junkbuster never send referer headers. So be
careful when recommending referer as a remedy, it might hit security
conscious types.
Bye
Greg
P.S. Yeah, one can configure junkbuster to send referer header to certain
sites but it's a hassle.
- Next message: Thomas Biege: "(no subject)"
- Previous message: Swift Griggs: "Re: Statistical Attack Against Virtual Banks"
- Maybe reply: Gregory Steuck: "Re: recent 'cross site scripting' CERT advisory"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]