Uploaded image for project: 'Rules Repository'
  1. Rules Repository
  2. RSPEC-2089

HTTP referers should not be relied on

    Details

    • Message:
      "referer" header should not be relied on
    • Default Severity:
      Critical
    • Impact:
      High
    • Likelihood:
      Low
    • Targeted languages:
      C#, C++, Objective-C, PHP, Python, VB.Net
    • Covered Languages:
      Java
    • Remediation Function:
      Constant/Issue
    • Constant Cost:
      20min
    • Analysis Scope:
      Main Sources
    • Common Rule:
      Yes
    • CWE:
      CWE-293, CWE-807
    • OWASP:
      A2
    • SANS Top 25:
      Porous Defenses

      Description

      The fields in an HTTP request are putty in the hands of an attacker, and you cannot rely on them to tell you the truth about anything. While it may be safe to store such values after they have been neutralized, decisions should never be made based on their contents.

      This rule flags uses of the referer header field.

      See

        Attachments

          Issue Links

          1.
          Java RSPEC-2090 Language-Specification Active Unassigned

            Activity

              People

              • Assignee:
                Unassigned
                Reporter:
                ann.campbell.2 Ann Campbell
              • Votes:
                0 Vote for this issue
                Watchers:
                2 Start watching this issue

                Dates

                • Created:
                  Updated: