NEOHAPSIS - Peace of Mind Through Integrity and Insight

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com

Neohapsis > Archives > Vuln-Dev> 2000-q3

Subject: How to prevent malicious linking/posting to webapps?
From: Lincoln Yeoh (lyeohPOP.JARING.MY)
Date: Mon Sep 11 2000 - 04:56:59 CDT

Next message: Slawek: "Re: How to prevent malicious linking/posting to webapps?"
Previous message: antirez: "Re: Stack Interpretation and Manipulation"
In reply to: Dimitry Andric: "Re: All Advantage Spyware"
Next in thread: Slawek: "Re: How to prevent malicious linking/posting to webapps?"
Next in thread: Jonathan Rickman: "Re: All Advantage Spyware"
Reply: Lincoln Yeoh: "How to prevent malicious linking/posting to webapps?"
Reply: Slawek: "Re: How to prevent malicious linking/posting to webapps?"
Reply: Bluefish (P.Magnusson): "Re: How to prevent malicious linking/posting to webapps?"
Reply: Brvenik, Jason: "Re: How to prevent malicious linking/posting to webapps?"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Hi,

Just wondering what are good ways to prevent malicious linking to web
applications.

For example:

Let's say we have a web application which allows links or even img src
links (webmail) to be included in messages from uncontrolled users.

And the web app has a command which is accessed by a url similar to
http://www.mydomain.com/webapp?command=deletefolder&folderid=1
(assuming using cookies for session authentication and the session is active).

So if the user unknowingly clicks on such a link, or even just views the
page with images enabled nasty things happen.

There seem to be quite a number of ways to prevent such nasties, any ideas
on which are good or which are your favourites?

How do popular websites prevent abuse of their "one click" shopping?

I personally don't like the http-referer method, but some seem to use it.

Thanks,
Link.

Next message: Slawek: "Re: How to prevent malicious linking/posting to webapps?"
Previous message: antirez: "Re: Stack Interpretation and Manipulation"
In reply to: Dimitry Andric: "Re: All Advantage Spyware"
Next in thread: Slawek: "Re: How to prevent malicious linking/posting to webapps?"
Next in thread: Jonathan Rickman: "Re: All Advantage Spyware"
Reply: Lincoln Yeoh: "How to prevent malicious linking/posting to webapps?"
Reply: Slawek: "Re: How to prevent malicious linking/posting to webapps?"
Reply: Bluefish (P.Magnusson): "Re: How to prevent malicious linking/posting to webapps?"
Reply: Brvenik, Jason: "Re: How to prevent malicious linking/posting to webapps?"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]