> thinking more along the lines of CC #'s
Same applies, surly ?
In addition to my last mail - you shouldn't use 'session.' there if your
session variables are client side i.e. cookies :-)
~~
Structure your ColdFusion code with Fusebox. Get the o
thinking more along the lines of CC #'s
Thomas Chiverton <[EMAIL PROTECTED]> on 04/20/2001 08:27:50 AM
Please respond to [EMAIL PROTECTED]
To: CF-Talk <[EMAIL PROTECTED]>
cc:
Subject: RE: Forging HTTP headers
> how do you get the info to the session variable w
> how do you get the info to the session variable w/o the form?
If you asking how you store things like the price, then:
session.price=#price#
session.ID=generateGUID()
[output from, hidden field contating session.id]
if form.id eq session.id
price=session.price
[take other actions, place o
how do you get the info to the session variable w/o the form?
Thomas Chiverton <[EMAIL PROTECTED]> on 04/20/2001 07:51:38 AM
Please respond to [EMAIL PROTECTED]
To: CF-Talk <[EMAIL PROTECTED]>
cc:
Subject: RE: Forging HTTP headers
> I'm trying to simulate the s
> I'm trying to simulate the scenario when someone saves an
> online form to
> their hard drive, alters a hidden form field containing the
> price someone
> should pay, reloads the local form in their browser, falsifies the
> cgi.HTTP_REFERER value and resubmits the form.
It depends if the serv
> using netcat or telnet, pass a raw HTTP request like the following:
> User-Agent: n30/browser
> Host: www.speeddy3d.com
> Referer: http://www.speeddy3d.com/cgi-bin/news/news.cgi
> GET /cgi-bin/news/news.cgi?addAuthor HTTP/1.0
K, thanks.
Is it possible to
> So... does anyone know how it's done?
using netcat or telnet, pass a raw HTTP request like the following:
User-Agent: n30/browser
Host: www.speeddy3d.com
Referer: http://www.speeddy3d.com/cgi-bin/news/news.cgi
GET /cgi-bin/news/news.cgi?addAuthor HTTP/1.0
OK, after listening to you guys I've gone ahead and told someone that it's
possible to forge the cgi.HTTP_REFERER value. Their reply (perhaps
understandably) was "show me how".
So... does anyone know how it's done?
Thanks
--
Aidan Whitehall <[EMAIL PROTECTED]>
Netshopperuk
Telephone +44 (017
8 matches
Mail list logo