Web Application Security
Preventing direct URL access in a J2EE environment Mar 01 2005 03:19PM
Kevin Conaway (kevin conaway gmail com) (3 replies)
Re: Preventing direct URL access in a J2EE environment Mar 03 2005 10:54AM
Paul Johnston (paul westpoint ltd uk) (1 replies)
Re: Preventing direct URL access in a J2EE environment Mar 03 2005 09:54PM
Jeroen van Rijn (xananda gmail com)
Re: Preventing direct URL access in a J2EE environment Mar 01 2005 06:46PM
Saqib Ali (docbook xml gmail com) (1 replies)
Re: Preventing direct URL access in a J2EE environment Mar 01 2005 10:34PM
RSnake (rsnake shocking com) (1 replies)
Re: Preventing direct URL access in a J2EE environment Mar 02 2005 05:22AM
Saqib Ali (docbook xml gmail com) (1 replies)
Re: Preventing direct URL access in a J2EE environment Mar 02 2005 12:54PM
Kevin Conaway (kevin conaway gmail com) (5 replies)
Re: Preventing direct URL access in a J2EE environment Mar 03 2005 09:58PM
Roy Britten (r britten niwa co nz)
Re: Preventing direct URL access in a J2EE environment Mar 03 2005 09:28PM
Dwayne Ghant (dghant temple edu) (2 replies)
Re: Preventing direct URL access in a J2EE environment Mar 04 2005 02:09PM
Kevin Conaway (kevin conaway gmail com) (1 replies)
Re: Preventing direct URL access in a J2EE environment Mar 10 2005 03:16PM
Paul Johnston (paul westpoint ltd uk)
RE: Preventing direct URL access in a J2EE environment Mar 04 2005 01:35AM
David Robert (drobert djinnsoft com)
Re: Preventing direct URL access in a J2EE environment Mar 03 2005 09:28PM
Dwayne Ghant (dghant temple edu) (2 replies)
Re: Preventing direct URL access in a J2EE environment Mar 04 2005 02:09PM
Kevin Conaway (kevin conaway gmail com) (1 replies)
Re: Preventing direct URL access in a J2EE environment Mar 10 2005 03:16PM
Paul Johnston (paul westpoint ltd uk)
RE: Preventing direct URL access in a J2EE environment Mar 04 2005 01:35AM
David Robert (drobert djinnsoft com)
Re: Preventing direct URL access in a J2EE environment Mar 03 2005 09:24PM
Jeroen van Rijn (xananda gmail com)
Re: Preventing direct URL access in a J2EE environment Mar 03 2005 09:24PM
Jeroen van Rijn (xananda gmail com)
Re: Preventing direct URL access in a J2EE environment Mar 01 2005 06:46PM
Saqib Ali (docbook xml gmail com) (3 replies)
Re: Preventing direct URL access in a J2EE environment Mar 01 2005 10:34PM
RSnake (rsnake shocking com) (1 replies)

Referers are also not availible in some security settings.
Zonelabs Zone Alarm Pro, and both Norton Internet Security and
Norton Personal Firewall all drop the referring URL. Forget
spoofable, sometimes it's just not there at all.

See this for details from Symantec:

http://service1.symantec.com/SUPPORT/nip.nsf/46f26a2d6dafb0a788256bc7005
c3fa3/b9b47ad7eddd343b88256c6b006a85a8?OpenDocument&src=bar_sch_nam

There are a number of tricks you can use to get more information
from the user's machine, but Referring URL isn't reliable. Not
to mention it can also be non-existant via meta refreshing.

On Tue, 1 Mar 2005, Saqib Ali wrote:

> It is a commonly used technique called anti-leeching or anti-leaching .
>
> Search for "anti leeching php" or "anti leeching jsp" on Google. You
> will find many resources.
>
> You can control the path that a user takes by checking for the
> HTTP_REFERER . But this is not a fail-proof technique, because the
> HTTP_REFERER can alwasy be spoofed.
>
> In Peace,
> Saqib Ali
> http://validate.sf.net
>
>
> On Tue, 1 Mar 2005 10:19:37 -0500, Kevin Conaway
> <kevin.conaway (at) gmail (dot) com [email concealed]> wrote:
>> For our application, we would like to prevent users from requesting
>> application resources directly. E.g. browsing to
>> http://localhost/app/method.do?id=5&type=3 instead of actually
>> clicking on a link that the application provides.
>>
>> We would like to do this without a major impact on our code. I was
>> thinking of using the following scenario:
>>
>> - Currently we have tag libraries that help build all our URLS. These
>> tag libraries would be modified to include a strong cryptographic
>> token that is unique to each URL/User combination. - The token/URL
>> combination would be stored in the application context for a
>> pre-determined amount of time.
>>
>> - Next, we would use a Servlet filter to intercept the URL. First,
>> deny URLS requested without tokens. If a token is passed, verify that
>> matches the token stored in the application context for the requested
>> URL.
>>
>> For the token, I was considering using SecureRandom to generate a
>> random number and compute a hash of the random number and the URI
>> being requested. This would be stored along with with URI and the
>> user Id.
>>
>> Could anyone point out any pitfalls I need to be aware of, or if I'm
>> going about things the wrong way?
>>
>> Thanks
>>
>> Kevin
>>
>
>
> --
> In Peace,
> Saqib Ali
> http://tools.tldp.org/search.php <--- Search for Linux HOWTOs
>

-R XSS Cheatsheet: http://www.shocking.com/~rsnake/xss.html

The information in this email is confidential and may be legally
privileged. It is intended solely for the addressee. Access to
this email by anyone else is unauthorized. If you are not the
intended recipient, any disclosure, copying, distribution or any
action taken or omitted to be taken in reliance on it is
expressly prohibited and may be unlawful.

[ reply ]
Re: Preventing direct URL access in a J2EE environment Mar 02 2005 05:22AM
Saqib Ali (docbook xml gmail com) (1 replies)
Re: Preventing direct URL access in a J2EE environment Mar 02 2005 12:54PM
Kevin Conaway (kevin conaway gmail com) (5 replies)
Re: Preventing direct URL access in a J2EE environment Mar 03 2005 09:58PM
Roy Britten (r britten niwa co nz)
Re: Preventing direct URL access in a J2EE environment Mar 03 2005 09:28PM
Dwayne Ghant (dghant temple edu) (2 replies)
Re: Preventing direct URL access in a J2EE environment Mar 04 2005 02:09PM
Kevin Conaway (kevin conaway gmail com) (1 replies)
Re: Preventing direct URL access in a J2EE environment Mar 10 2005 03:16PM
Paul Johnston (paul westpoint ltd uk)
RE: Preventing direct URL access in a J2EE environment Mar 04 2005 01:35AM
David Robert (drobert djinnsoft com)
Re: Preventing direct URL access in a J2EE environment Mar 03 2005 09:28PM
Dwayne Ghant (dghant temple edu) (2 replies)
Re: Preventing direct URL access in a J2EE environment Mar 04 2005 02:09PM
Kevin Conaway (kevin conaway gmail com) (1 replies)
Re: Preventing direct URL access in a J2EE environment Mar 10 2005 03:16PM
Paul Johnston (paul westpoint ltd uk)
RE: Preventing direct URL access in a J2EE environment Mar 04 2005 01:35AM
David Robert (drobert djinnsoft com)
Re: Preventing direct URL access in a J2EE environment Mar 03 2005 09:24PM
Jeroen van Rijn (xananda gmail com)
Re: Preventing direct URL access in a J2EE environment Mar 03 2005 09:24PM
Jeroen van Rijn (xananda gmail com)
Re: Preventing direct URL access in a J2EE environment Mar 01 2005 10:34PM
RSnake (rsnake shocking com) (1 replies)
Re: Preventing direct URL access in a J2EE environment Mar 02 2005 05:22AM
Saqib Ali (docbook xml gmail com) (1 replies)
Re: Preventing direct URL access in a J2EE environment Mar 02 2005 12:54PM
Kevin Conaway (kevin conaway gmail com) (5 replies)
Re: Preventing direct URL access in a J2EE environment Mar 03 2005 09:58PM
Roy Britten (r britten niwa co nz)
Re: Preventing direct URL access in a J2EE environment Mar 03 2005 09:28PM
Dwayne Ghant (dghant temple edu) (2 replies)
Re: Preventing direct URL access in a J2EE environment Mar 04 2005 02:09PM
Kevin Conaway (kevin conaway gmail com) (1 replies)
Re: Preventing direct URL access in a J2EE environment Mar 10 2005 03:16PM
Paul Johnston (paul westpoint ltd uk)
RE: Preventing direct URL access in a J2EE environment Mar 04 2005 01:35AM
David Robert (drobert djinnsoft com)
Re: Preventing direct URL access in a J2EE environment Mar 03 2005 09:28PM
Dwayne Ghant (dghant temple edu) (2 replies)
Re: Preventing direct URL access in a J2EE environment Mar 04 2005 02:09PM
Kevin Conaway (kevin conaway gmail com) (1 replies)
Re: Preventing direct URL access in a J2EE environment Mar 10 2005 03:16PM
Paul Johnston (paul westpoint ltd uk)
RE: Preventing direct URL access in a J2EE environment Mar 04 2005 01:35AM
David Robert (drobert djinnsoft com)
Re: Preventing direct URL access in a J2EE environment Mar 03 2005 09:24PM
Jeroen van Rijn (xananda gmail com)
Re: Preventing direct URL access in a J2EE environment Mar 03 2005 09:24PM
Jeroen van Rijn (xananda gmail com)
Re: Preventing direct URL access in a J2EE environment Mar 01 2005 10:34PM
RSnake (rsnake shocking com) (1 replies)
<br/>
Referers are also not availible in some security settings.<br/>
Zonelabs Zone Alarm Pro, and both Norton Internet Security and<br/>
Norton Personal Firewall all drop the referring URL. Forget<br/>
spoofable, sometimes it's just not there at all.<br/>
<br/>
See this for details from Symantec:<br/>
<br/>
http://service1.symantec.com/SUPPORT/nip.nsf/46f26a2d6dafb0a788256bc7005
<br/>
c3fa3/b9b47ad7eddd343b88256c6b006a85a8?OpenDocument&src=bar_sch_nam<
br/>
<br/>
There are a number of tricks you can use to get more information<br/>
from the user's machine, but Referring URL isn't reliable. Not<br/>
to mention it can also be non-existant via meta refreshing.<br/>
<br/>
On Tue, 1 Mar 2005, Saqib Ali wrote:<br/>
<br/>
> It is a commonly used technique called anti-leeching or anti-leaching .<br/>
><br/>
> Search for "anti leeching php" or "anti leeching jsp" on Google. You<br/>
> will find many resources.<br/>
><br/>
> You can control the path that a user takes by checking for the<br/>
> HTTP_REFERER . But this is not a fail-proof technique, because the<br/>
> HTTP_REFERER can alwasy be spoofed.<br/>
><br/>
> In Peace,<br/>
> Saqib Ali<br/>
> http://validate.sf.net<br/>
><br/>
><br/>
> On Tue, 1 Mar 2005 10:19:37 -0500, Kevin Conaway<br/>
> <kevin.conaway (at) gmail (dot) com [email concealed]> wrote:<br/>
>> For our application, we would like to prevent users from requesting<br/>
>> application resources directly. E.g. browsing to<br/>
>> http://localhost/app/method.do?id=5&type=3 instead of actually<br/>
>> clicking on a link that the application provides.<br/>
>><br/>
>> We would like to do this without a major impact on our code. I was<br/>
>> thinking of using the following scenario:<br/>
>><br/>
>> - Currently we have tag libraries that help build all our URLS. These<br/>
>> tag libraries would be modified to include a strong cryptographic<br/>
>> token that is unique to each URL/User combination. - The token/URL<br/>
>> combination would be stored in the application context for a<br/>
>> pre-determined amount of time.<br/>
>><br/>
>> - Next, we would use a Servlet filter to intercept the URL. First,<br/>
>> deny URLS requested without tokens. If a token is passed, verify that<br/>
>> matches the token stored in the application context for the requested<br/>
>> URL.<br/>
>><br/>
>> For the token, I was considering using SecureRandom to generate a<br/>
>> random number and compute a hash of the random number and the URI<br/>
>> being requested. This would be stored along with with URI and the<br/>
>> user Id.<br/>
>><br/>
>> Could anyone point out any pitfalls I need to be aware of, or if I'm<br/>
>> going about things the wrong way?<br/>
>><br/>
>> Thanks<br/>
>><br/>
>> Kevin<br/>
>><br/>
><br/>
><br/>
> -- <br/>
> In Peace,<br/>
> Saqib Ali<br/>
> http://tools.tldp.org/search.php <--- Search for Linux HOWTOs<br/>
><br/>
<br/>
-R XSS Cheatsheet: http://www.shocking.com/~rsnake/xss.html<br/>
<br/>
The information in this email is confidential and may be legally<br/>
privileged. It is intended solely for the addressee. Access to<br/>
this email by anyone else is unauthorized. If you are not the<br/>
intended recipient, any disclosure, copying, distribution or any<br/>
action taken or omitted to be taken in reliance on it is <br/>
expressly prohibited and may be unlawful.

[ reply ]
Re: Preventing direct URL access in a J2EE environment Mar 02 2005 05:22AM
Saqib Ali (docbook xml gmail com) (1 replies)
Re: Preventing direct URL access in a J2EE environment Mar 02 2005 12:54PM
Kevin Conaway (kevin conaway gmail com) (5 replies)
Re: Preventing direct URL access in a J2EE environment Mar 03 2005 09:58PM
Roy Britten (r britten niwa co nz)
Re: Preventing direct URL access in a J2EE environment Mar 03 2005 09:28PM
Dwayne Ghant (dghant temple edu) (2 replies)
Re: Preventing direct URL access in a J2EE environment Mar 04 2005 02:09PM
Kevin Conaway (kevin conaway gmail com) (1 replies)
Re: Preventing direct URL access in a J2EE environment Mar 10 2005 03:16PM
Paul Johnston (paul westpoint ltd uk)
RE: Preventing direct URL access in a J2EE environment Mar 04 2005 01:35AM
David Robert (drobert djinnsoft com)
Re: Preventing direct URL access in a J2EE environment Mar 03 2005 09:28PM
Dwayne Ghant (dghant temple edu) (2 replies)
Re: Preventing direct URL access in a J2EE environment Mar 04 2005 02:09PM
Kevin Conaway (kevin conaway gmail com) (1 replies)
Re: Preventing direct URL access in a J2EE environment Mar 10 2005 03:16PM
Paul Johnston (paul westpoint ltd uk)
RE: Preventing direct URL access in a J2EE environment Mar 04 2005 01:35AM
David Robert (drobert djinnsoft com)
Re: Preventing direct URL access in a J2EE environment Mar 03 2005 09:24PM
Jeroen van Rijn (xananda gmail com)
Re: Preventing direct URL access in a J2EE environment Mar 03 2005 09:24PM
Jeroen van Rijn (xananda gmail com)


 

Privacy Statement
Copyright 2010, SecurityFocus