[WEB4LIB] Can HTTP_REFERRER be used to prevent external
links?
Thomas Dowling
tdowling at ohiolink.edu
Mon Nov 4 08:59:41 EST 2002
At 02:19 AM 11/4/02 -0800, John Fitzgibbon wrote:
>Hi,
>
>We plan to use HTTP_REFERRER to prevent external links. My question is can
>a web server be easily spoofed. Is it possible to send a http request
>header containing the required HTTP_REFERRER as text without clicking on a
>link?
telnet www.somewhere.org 80
GET /super/secret/file.html HTTP 1.0
Referer: http://www.somewhere.org/i-already-authenticated.html
[Blank line]
Yes, any HTTP header can be spoofed. All an intruder needs to know is the
page to ask for and the referer it want. Likewise with "authentication"
using guessable cookie values .
Thomas Dowling
Ohio Library and Information Network
tdowling at ohiolink.edu
More information about the Web4lib
mailing list