Intro
Most of the web applications I see are kinda binary when it comes to CSRF protection; either they have one implemented using CSRF tokens (and more-or-less covering the different functions of the web application) or there is no protection at all. Usually, it is the latter case. However, from time to time I see application checking the Referer HTTP header.
A couple months ago I had to deal with an application that was checking the Referer as a CSRF prevention mechanism, but when this header was stripped from the request, the CSRF PoC worked. BTW it is common practice to accept empty Referer, mainly to avoid breaking functionality.
A couple months ago I had to deal with an application that was checking the Referer as a CSRF prevention mechanism, but when this header was stripped from the request, the CSRF PoC worked. BTW it is common practice to accept empty Referer, mainly to avoid breaking functionality.
The OWASP Cross-Site Request Forgery (CSRF) Prevention Cheat Sheet tells us that this defense approach is a baaad omen, but finding a universal and simple solution on the Internetz to strip the Referer header took somewhat more time than I expected, so I decided that the stuff that I found might be useful for others too.
Solutions for Referer header strip
Most of the techniques I have found were way too complicated for my taste. For example, when I start reading a blog post from Egor Homakov to find a solution to a problem, I know that I am going to:
Rich Lundeen (aka WebstersProdigy) made an excellent blog post on stripping the Referer header (again, make sure you read that one first before you continue). The HTTPS to HTTP trick is probably the most well-known one, general and easy enough, but it quickly fails the moment you have an application that only runs over HTTPS (this was my case).
The data method is not browser independent but the about:blank trick works well for some simple requests. Unfortunately, in my case the request I had to attack with CSRF was too complex and I wanted to use XMLHttpRequest. He mentions that in theory, there is anonymous flag for CORS, but he could not get it work. I also tried it, but... it did not work for me either.
Krzysztof Kotowicz also wrote a blog post on Referer strip, coming to similar conclusions as Rich Lundeen, mostly using the data method.
Finally, I bumped into Johannes Ullrich's ISC diary on Referer header and that led to me W3C's Referrer Policy. So just to make a dumb little PoC and show that relying on Referer is a not a good idea, you can simply use the "referrer" meta tag (yes, that is two "r"-s there).
The PoC would look something like this:
- learn something very cool;
- have a serious headache from all the new info at the end.
Rich Lundeen (aka WebstersProdigy) made an excellent blog post on stripping the Referer header (again, make sure you read that one first before you continue). The HTTPS to HTTP trick is probably the most well-known one, general and easy enough, but it quickly fails the moment you have an application that only runs over HTTPS (this was my case).
The data method is not browser independent but the about:blank trick works well for some simple requests. Unfortunately, in my case the request I had to attack with CSRF was too complex and I wanted to use XMLHttpRequest. He mentions that in theory, there is anonymous flag for CORS, but he could not get it work. I also tried it, but... it did not work for me either.
Krzysztof Kotowicz also wrote a blog post on Referer strip, coming to similar conclusions as Rich Lundeen, mostly using the data method.
Finally, I bumped into Johannes Ullrich's ISC diary on Referer header and that led to me W3C's Referrer Policy. So just to make a dumb little PoC and show that relying on Referer is a not a good idea, you can simply use the "referrer" meta tag (yes, that is two "r"-s there).
The PoC would look something like this:
<html>
<meta name="referrer" content="never">
<body>
<form action="https://vistimsite.com/function" method="POST">
<input type="hidden" name="param1" value="1" />
<input type="hidden" name="param2" value="2" />
...
</form>
<script>
document.forms[0].submit();
</script>
</body>
</html>
Conclusion
As you can see, there is quite a lot of ways to strip the Referer HTTP header from the request, so it really should not be considered a good defense against CSRF. My preferred way to make is PoC is with the meta tag, but hey, if you got any better solution for this, use the comment field down there and let me know! :)
Related articles
- Pentest Tools Windows
- Pentest Tools Open Source
- Pentest Tools Bluekeep
- Hacking Tools For Kali Linux
- Nsa Hack Tools
- Hack Tool Apk No Root
- Hack Tools For Mac
- Pentest Tools Windows
- Hacking Tools Windows
- Github Hacking Tools
- Hacker Security Tools
- Pentest Tools List
- How To Make Hacking Tools
- Pentest Tools For Windows
- Hacker Techniques Tools And Incident Handling
- Pentest Tools Android
- Hack Tools Mac
- Hacker Tools Apk Download
- Hacker Tools Free
- Hacker Tools Mac
- Hacking Tools Windows
- Easy Hack Tools
- Hacking Tools For Windows Free Download
- Hack Tools For Games
- Best Pentesting Tools 2018
- What Are Hacking Tools
- Hacking Tools 2019
- World No 1 Hacker Software
- Pentest Tools Free
- Hacking Tools For Beginners
- What Is Hacking Tools
- Android Hack Tools Github
- Hacker Tools 2020
- Hacker Tools Windows
- Hack Tools
- Tools Used For Hacking
- Kik Hack Tools
- Tools For Hacker
- Hacking Tools Pc
- Pentest Tools Free
- Hacker Search Tools
- Hacker Tools 2020
- Best Hacking Tools 2019
- Hacking Tools For Windows 7
- Hacking Tools Kit
- Hacker Tools
- Pentest Tools List
- Hack Tools For Ubuntu
- Hacker
- New Hack Tools
- Hacking Tools Download
- Hacking Tools Name
- Pentest Tools Website Vulnerability
- Pentest Tools Linux
- Pentest Tools Online
- Pentest Tools Alternative
- Hack Tools For Games
- Hacking Tools Online
- Hackers Toolbox
- Hacker Tools For Mac
- Hacking Tools
- Usb Pentest Tools
- Pentest Tools Port Scanner
- World No 1 Hacker Software
- Game Hacking
- Hack Tools For Games
- Pentest Tools Find Subdomains
- Hack Tools
- Hack Tools For Ubuntu
- Pentest Tools Kali Linux
- Hacker Tools
- Hacking Tools 2020
- Hak5 Tools
- Blackhat Hacker Tools
- Hack Tools Pc
- Hacker Tools Free Download
- Hacker Tools Windows
- Github Hacking Tools
- Hacking Tools Hardware
- Pentest Tools Url Fuzzer
- Hacking Tools Hardware
- Hacker Tools For Ios
- Hack Tools
- Pentest Tools Subdomain
- Free Pentest Tools For Windows
- Hacker Techniques Tools And Incident Handling
- Pentest Tools For Windows
- Growth Hacker Tools
- Hacker Tools Github
- Hacking Tools For Windows Free Download
- Beginner Hacker Tools
- How To Hack
- Hacking Tools For Pc
- Pentest Tools Website Vulnerability
- Pentest Tools Apk
- How To Hack
- Hacker Tools Linux
- Hacker Tools Online
- Pentest Tools Free
- Hack Tools
- Hacking App
- Computer Hacker
- Pentest Tools Github
- Pentest Tools Subdomain
- Hacker Tools Free Download
- Bluetooth Hacking Tools Kali
- Growth Hacker Tools
- Hacker Tools Linux
- Pentest Tools Alternative
- Computer Hacker
- Hacking Tools
- How To Hack
- Tools For Hacker
- Hack Tools For Ubuntu
- Wifi Hacker Tools For Windows
- New Hacker Tools
- Hacker Tools Free
- Black Hat Hacker Tools
- Hacker Security Tools
- Pentest Tools Android
- Pentest Tools Website
- Hacker Tools Hardware
- New Hacker Tools
- How To Install Pentest Tools In Ubuntu
- Hacking Tools For Windows Free Download
- Hack Apps
- Hack Tools For Games
- Tools For Hacker
- Hacker Tools 2020
- Hacking Tools 2020
- Wifi Hacker Tools For Windows
No comments:
Post a Comment