Skip to main content
nikos101
nikos101
Inspiring
March 6, 2012
Answered

Best way to check that requests to a cfc is comming from a swf file an a specific server

  • March 6, 2012
  • 2 replies
  • 1131 views

hi friends,

What is the best way to check that requests to  a cfc is comming from a swf file an a specific server? Can it be spoofed?

This topic has been closed for replies.
Correct answer Owainnorth

A server can only check what it is *sent*, all of which is inside the CGI scope. Most (all?) of this data can be spoofed, hence the need for firewalls which can inspect packets far more closely.

Do a dump of the CGI scope, you'll see what you get. You can check the CGI.REMOTE_ADDR to get the IP of the remote server, but you can't know the name of the page that made the call, no.

2 replies

BKBK
Community Expert
BKBKCommunity Expert
Community Expert
March 7, 2012

nikos101 wrote:

hi friends,

What is the best way to check that requests to  a cfc is comming from a swf file an a specific server?

A simple solution, here and in most http communication, is to require the requester to send you a security token in the query string.

Can it be spoofed?

Yes, however with difficulty, depending on how hard it is to guess your token.

nikos101
nikos101Author
Inspiring
March 9, 2012

thanks friends

Owainnorth
OwainnorthCorrect answer
Inspiring
March 6, 2012

A server can only check what it is *sent*, all of which is inside the CGI scope. Most (all?) of this data can be spoofed, hence the need for firewalls which can inspect packets far more closely.

Do a dump of the CGI scope, you'll see what you get. You can check the CGI.REMOTE_ADDR to get the IP of the remote server, but you can't know the name of the page that made the call, no.

I
insuractive
Inspiring
March 6, 2012

You may also want to take a look at the HTTP_USER_AGENT in the CGI scope as well.  The call from the SWF might appear different from what you might expect would be the typical user agent of a browser.  Of course, there pretty much is no guarantee that those values aren't spoofed.

If you want to lock down your remote calls to ensure that you are only providing data to your internal application, your best bet is to implement a validation security routine that you can use to verify that a request is valid (assuming that you control the code behind the SWF and the CFC).

Terms & ConditionsAccessibility statement
Using the community Terms of use Privacy Cookie preferences Do not sell or share my personal information ad choicesAdChoices