[WEB SECURITY] RE: XSS-Phishing on Financial Sites (Tip of the iceberg)

Brian Eaton eaton.lists at gmail.com
Wed Jun 28 11:42:38 EDT 2006


On 6/28/06, RSnake <rsnake at shocking.com> wrote:
> ... A more realistic problem is I actually _might_ want
> people to automatically send traffic to my comments function if someone
> eventually builds an application to forward requests to my page to make
> it easier for my users.  Again, you could argue that in that case I
> should explicitly allow that one referrer in, and I might agree, but
> wow... this is seeming like an administration nightmare, even on a small
> site like mine.

If you change your policy on who should and shouldn't be sending
requests to certain pages, you should expect that you will need to do
some work to make that policy take affect.  That's true no matter what
kind of enforcement mechanism you are using.  The more elaborate your
policy, the more work you are going to have to do to describe it.

Is the extra work required to enable the policy worth the trouble?  It
depends on the site.

Regards,
Brian

----------------------------------------------------------------------------
The Web Security Mailing List: 
http://www.webappsec.org/lists/websecurity/

The Web Security Mailing List Archives: 
http://www.webappsec.org/lists/websecurity/archive/
http://www.webappsec.org/rss/websecurity.rss [RSS Feed]



More information about the websecurity mailing list