Ideas for Improving ASP and ASP.NET Web Application Security

Print Add To Favorites Email To Friend Rate This Article
Ideas for Improving ASP and ASP.NET Web Application Security - Part 1

page 3 of 6

by Brett Burridge
Feedback

Average Rating: This article has not yet been rated.
Views (Total / Last 10 Days): 28438/ 110

Article Contents:

Do not rely on HTTP_REFERER Server Variable

The HTTP_REFERER server variable records the URL of the page the user's browser visited before the current page. As such, it is sometimes used to check that a form was submitted from the correct form and that the submission did not originate from elsewhere.

While this is a useful technique to guard against automated form submissions, there are, however, a number of issues with using the HTTP_REFERER server variable.

Some proxy servers and content filtering services mask the value of the HTTP_REFERER or even strip it out altogether before the request arrives at the destination server.

An increasing number of Internet web robots are being used with a fake value for the HTTP_REFERER server variable.

The HTTP_REFERER server variable can be easily faked by many of the tools used to create automated web-crawling robots and form submission utilities.

Consequently, there are disadvantages to using the HTTP_REFERER server variable to increase the security of web applications. Alternative strategies to securing forms would be to include using a graphical sequence of characters that a user has to type into the form before submission (i.e. a Captcha, see http://www.captcha.net/), or to include certain dynamically-generated, hidden fields within the form that must also be present when the form is submitted.

« (Page 2)

View Entire Article

(Page 4) »

User Comments

No comments posted yet.

Product Spotlight