RE: Forging HTTP headers

2001-04-20 Thread Thomas Chiverton
> thinking more along the lines of CC #'s Same applies, surly ? In addition to my last mail - you shouldn't use 'session.' there if your session variables are client side i.e. cookies :-) ~~ Structure your ColdFusion code with Fusebox. Get the o

RE: Forging HTTP headers

2001-04-20 Thread savan . thongvanh
thinking more along the lines of CC #'s Thomas Chiverton <[EMAIL PROTECTED]> on 04/20/2001 08:27:50 AM Please respond to [EMAIL PROTECTED] To: CF-Talk <[EMAIL PROTECTED]> cc: Subject: RE: Forging HTTP headers > how do you get the info to the session variable w

RE: Forging HTTP headers

2001-04-20 Thread Thomas Chiverton
> how do you get the info to the session variable w/o the form? If you asking how you store things like the price, then: session.price=#price# session.ID=generateGUID() [output from, hidden field contating session.id] if form.id eq session.id price=session.price [take other actions, place o

RE: Forging HTTP headers

2001-04-20 Thread savan . thongvanh
how do you get the info to the session variable w/o the form? Thomas Chiverton <[EMAIL PROTECTED]> on 04/20/2001 07:51:38 AM Please respond to [EMAIL PROTECTED] To: CF-Talk <[EMAIL PROTECTED]> cc: Subject: RE: Forging HTTP headers > I'm trying to simulate the s

RE: Forging HTTP headers

2001-04-20 Thread Thomas Chiverton
> I'm trying to simulate the scenario when someone saves an > online form to > their hard drive, alters a hidden form field containing the > price someone > should pay, reloads the local form in their browser, falsifies the > cgi.HTTP_REFERER value and resubmits the form. It depends if the serv

RE: Forging HTTP headers

2001-04-20 Thread Aidan Whitehall
> using netcat or telnet, pass a raw HTTP request like the following: > User-Agent: n30/browser > Host: www.speeddy3d.com > Referer: http://www.speeddy3d.com/cgi-bin/news/news.cgi > GET /cgi-bin/news/news.cgi?addAuthor HTTP/1.0 K, thanks. Is it possible to

RE: Forging HTTP headers

2001-04-19 Thread Thomas Chiverton
> So... does anyone know how it's done? using netcat or telnet, pass a raw HTTP request like the following: User-Agent: n30/browser Host: www.speeddy3d.com Referer: http://www.speeddy3d.com/cgi-bin/news/news.cgi GET /cgi-bin/news/news.cgi?addAuthor HTTP/1.0

Forging HTTP headers

2001-04-19 Thread Aidan Whitehall
OK, after listening to you guys I've gone ahead and told someone that it's possible to forge the cgi.HTTP_REFERER value. Their reply (perhaps understandably) was "show me how". So... does anyone know how it's done? Thanks -- Aidan Whitehall <[EMAIL PROTECTED]> Netshopperuk Telephone +44 (017