• Global community
    • Language:
      • Deutsch
      • English
      • Español
      • Français
      • Português
  • 日本語コミュニティ
    Dedicated community for Japanese speakers
  • 한국 커뮤니티
    Dedicated community for Korean speakers
Exit
0

Best way to check that requests to a cfc is comming from a swf file an a specific server

Enthusiast ,
Mar 06, 2012 Mar 06, 2012

Copy link to clipboard

Copied

hi friends,

What is the best way to check that requests to  a cfc is comming from a swf file an a specific server? Can it be spoofed?

TOPICS
Advanced techniques

Views

958

Translate

Translate

Report

Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines

correct answers 1 Correct answer

Guide , Mar 06, 2012 Mar 06, 2012

A server can only check what it is *sent*, all of which is inside the CGI scope. Most (all?) of this data can be spoofed, hence the need for firewalls which can inspect packets far more closely.

Do a dump of the CGI scope, you'll see what you get. You can check the CGI.REMOTE_ADDR to get the IP of the remote server, but you can't know the name of the page that made the call, no.

Votes

Translate

Translate
Guide ,
Mar 06, 2012 Mar 06, 2012

Copy link to clipboard

Copied

A server can only check what it is *sent*, all of which is inside the CGI scope. Most (all?) of this data can be spoofed, hence the need for firewalls which can inspect packets far more closely.

Do a dump of the CGI scope, you'll see what you get. You can check the CGI.REMOTE_ADDR to get the IP of the remote server, but you can't know the name of the page that made the call, no.

Votes

Translate

Translate

Report

Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
Advocate ,
Mar 06, 2012 Mar 06, 2012

Copy link to clipboard

Copied

You may also want to take a look at the HTTP_USER_AGENT in the CGI scope as well.  The call from the SWF might appear different from what you might expect would be the typical user agent of a browser.  Of course, there pretty much is no guarantee that those values aren't spoofed.

If you want to lock down your remote calls to ensure that you are only providing data to your internal application, your best bet is to implement a validation security routine that you can use to verify that a request is valid (assuming that you control the code behind the SWF and the CFC).

Votes

Translate

Translate

Report

Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
Community Expert ,
Mar 07, 2012 Mar 07, 2012

Copy link to clipboard

Copied

nikos101 wrote:

hi friends,

What is the best way to check that requests to  a cfc is comming from a swf file an a specific server?

A simple solution, here and in most http communication, is to require the requester to send you a security token in the query string.

Can it be spoofed?

Yes, however with difficulty, depending on how hard it is to guess your token.

Votes

Translate

Translate

Report

Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
Enthusiast ,
Mar 09, 2012 Mar 09, 2012

Copy link to clipboard

Copied

LATEST

thanks friends

Votes

Translate

Translate

Report

Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
Resources
Documentation