Skip navigation
Currently Being Moderated

Best way to check that requests to  a cfc is comming from a swf file an a specific server

Mar 6, 2012 7:31 AM

hi friends,

 

What is the best way to check that requests to  a cfc is comming from a swf file an a specific server? Can it be spoofed?

 
Replies
  • Currently Being Moderated
    Mar 6, 2012 7:37 AM   in reply to nikos101

    A server can only check what it is *sent*, all of which is inside the CGI scope. Most (all?) of this data can be spoofed, hence the need for firewalls which can inspect packets far more closely.

     

    Do a dump of the CGI scope, you'll see what you get. You can check the CGI.REMOTE_ADDR to get the IP of the remote server, but you can't know the name of the page that made the call, no.

     
    |
    Mark as:
  • Currently Being Moderated
    Mar 6, 2012 2:26 PM   in reply to Owain North

    You may also want to take a look at the HTTP_USER_AGENT in the CGI scope as well.  The call from the SWF might appear different from what you might expect would be the typical user agent of a browser.  Of course, there pretty much is no guarantee that those values aren't spoofed.

     

    If you want to lock down your remote calls to ensure that you are only providing data to your internal application, your best bet is to implement a validation security routine that you can use to verify that a request is valid (assuming that you control the code behind the SWF and the CFC).

     
    |
    Mark as:
  • Currently Being Moderated
    Mar 7, 2012 11:55 AM   in reply to nikos101

    nikos101 wrote:

     

    hi friends,

     

    What is the best way to check that requests to  a cfc is comming from a swf file an a specific server?

     

    A simple solution, here and in most http communication, is to require the requester to send you a security token in the query string.

     

    Can it be spoofed?

     

    Yes, however with difficulty, depending on how hard it is to guess your token.

     
    |
    Mark as:

More Like This

  • Retrieving data ...

Bookmarked By (0)

Answers + Points = Status

  • 10 points awarded for Correct Answers
  • 5 points awarded for Helpful Answers
  • 10,000+ points
  • 1,001-10,000 points
  • 501-1,000 points
  • 5-500 points