GoFuckYourself.com - Adult Webmaster Forum - View Single Post

Osholio · 11-01-2001, 11:30 AM

Referrer spoofing? Good god that's utterly trivial to do. Hell I've written scripts to do it in perl to pull images off the ifriends site for my 'active banners'.

It's an inherent limitation of HTTP, using .htaccess files to prevent hotlinking based upon the http referrer header (or as it's used, 'referer') has always been vunerable to spoofing.

If you use this to protect your member's areas, then you're in trouble, and have always been in trouble. Basic realm protection should still be secure from this kind of spoofing, but the ultra paranoid should verify usernames and password via a secure (SSL) page and then setup a session cookie to allow access to the members content. That kind of setup will also protect the site from brute force crackers.

One day, I may use my powers for evil...

------------------
ClickCash - Better than 1:99 and $50 for signing up
Lightspeed Cash - Converts like crazy

11-01-2001, 11:30 AM
Osholio Confirmed User Join Date: Sep 2001 Location: UK Posts: 99	Referrer spoofing? Good god that's utterly trivial to do. Hell I've written scripts to do it in perl to pull images off the ifriends site for my 'active banners'. It's an inherent limitation of HTTP, using .htaccess files to prevent hotlinking based upon the http referrer header (or as it's used, 'referer') has always been vunerable to spoofing. If you use this to protect your member's areas, then you're in trouble, and have always been in trouble. Basic realm protection should still be secure from this kind of spoofing, but the ultra paranoid should verify usernames and password via a secure (SSL) page and then setup a session cookie to allow access to the members content. That kind of setup will also protect the site from brute force crackers. One day, I may use my powers for evil... ------------------ ClickCash - Better than 1:99 and $50 for signing up Lightspeed Cash - Converts like crazy