Intro
Most of the web applications I see are kinda binary when it comes to CSRF protection; either they have one implemented using CSRF tokens (and more-or-less covering the different functions of the web application) or there is no protection at all. Usually, it is the latter case. However, from time to time I see application checking the Referer HTTP header.
A couple months ago I had to deal with an application that was checking the Referer as a CSRF prevention mechanism, but when this header was stripped from the request, the CSRF PoC worked. BTW it is common practice to accept empty Referer, mainly to avoid breaking functionality.
A couple months ago I had to deal with an application that was checking the Referer as a CSRF prevention mechanism, but when this header was stripped from the request, the CSRF PoC worked. BTW it is common practice to accept empty Referer, mainly to avoid breaking functionality.
The OWASP Cross-Site Request Forgery (CSRF) Prevention Cheat Sheet tells us that this defense approach is a baaad omen, but finding a universal and simple solution on the Internetz to strip the Referer header took somewhat more time than I expected, so I decided that the stuff that I found might be useful for others too.
Solutions for Referer header strip
Most of the techniques I have found were way too complicated for my taste. For example, when I start reading a blog post from Egor Homakov to find a solution to a problem, I know that I am going to:
Rich Lundeen (aka WebstersProdigy) made an excellent blog post on stripping the Referer header (again, make sure you read that one first before you continue). The HTTPS to HTTP trick is probably the most well-known one, general and easy enough, but it quickly fails the moment you have an application that only runs over HTTPS (this was my case).
The data method is not browser independent but the about:blank trick works well for some simple requests. Unfortunately, in my case the request I had to attack with CSRF was too complex and I wanted to use XMLHttpRequest. He mentions that in theory, there is anonymous flag for CORS, but he could not get it work. I also tried it, but... it did not work for me either.
Krzysztof Kotowicz also wrote a blog post on Referer strip, coming to similar conclusions as Rich Lundeen, mostly using the data method.
Finally, I bumped into Johannes Ullrich's ISC diary on Referer header and that led to me W3C's Referrer Policy. So just to make a dumb little PoC and show that relying on Referer is a not a good idea, you can simply use the "referrer" meta tag (yes, that is two "r"-s there).
The PoC would look something like this:
- learn something very cool;
- have a serious headache from all the new info at the end.
Rich Lundeen (aka WebstersProdigy) made an excellent blog post on stripping the Referer header (again, make sure you read that one first before you continue). The HTTPS to HTTP trick is probably the most well-known one, general and easy enough, but it quickly fails the moment you have an application that only runs over HTTPS (this was my case).
The data method is not browser independent but the about:blank trick works well for some simple requests. Unfortunately, in my case the request I had to attack with CSRF was too complex and I wanted to use XMLHttpRequest. He mentions that in theory, there is anonymous flag for CORS, but he could not get it work. I also tried it, but... it did not work for me either.
Krzysztof Kotowicz also wrote a blog post on Referer strip, coming to similar conclusions as Rich Lundeen, mostly using the data method.
Finally, I bumped into Johannes Ullrich's ISC diary on Referer header and that led to me W3C's Referrer Policy. So just to make a dumb little PoC and show that relying on Referer is a not a good idea, you can simply use the "referrer" meta tag (yes, that is two "r"-s there).
The PoC would look something like this:
<html>
<meta name="referrer" content="never">
<body>
<form action="https://vistimsite.com/function" method="POST">
<input type="hidden" name="param1" value="1" />
<input type="hidden" name="param2" value="2" />
...
</form>
<script>
document.forms[0].submit();
</script>
</body>
</html>
Conclusion
As you can see, there is quite a lot of ways to strip the Referer HTTP header from the request, so it really should not be considered a good defense against CSRF. My preferred way to make is PoC is with the meta tag, but hey, if you got any better solution for this, use the comment field down there and let me know! :)
Related articles
- Hacker Tools Apk
- Hacking Tools For Pc
- Hack Tools Mac
- What Is Hacking Tools
- Hack App
- Best Hacking Tools 2019
- Pentest Tools
- New Hacker Tools
- Pentest Tools Website
- Hacking Tools Software
- Hacking App
- Hacking Tools For Games
- Hack Tool Apk
- Nsa Hacker Tools
- Best Pentesting Tools 2018
- Hacking Tools Online
- Hack Tools For Ubuntu
- Hacker Tools Linux
- Pentest Tools List
- Hacking Tools Name
- Hack Tools For Ubuntu
- Hacking Tools For Games
- Hack Tools For Games
- Hak5 Tools
- Hacker Tools List
- World No 1 Hacker Software
- Hacking Tools For Windows Free Download
- Hacking Tools Github
- How To Install Pentest Tools In Ubuntu
- Hacker Tools Apk Download
- Tools For Hacker
- Hacker Tools Linux
- Hacker Tools Online
- Tools For Hacker
- Hacking Tools
- Hack App
- Hack Tools
- Hacking Tools For Pc
- Bluetooth Hacking Tools Kali
- Hacking Tools Mac
- Pentest Tools Website Vulnerability
- Bluetooth Hacking Tools Kali
- Ethical Hacker Tools
- Hacking Tools Windows 10
- Hacking Tools Download
- Hacker Tools Free Download
- Pentest Tools Nmap
- Pentest Tools Alternative
- Pentest Tools Framework
- Hacks And Tools
- Hacker Techniques Tools And Incident Handling
- Hacker Tools For Ios
- Hack Tools Pc
- Hacking Tools Windows 10
- Hack Tools
- Pentest Tools Online
- Pentest Tools Open Source
- How To Install Pentest Tools In Ubuntu
- Pentest Tools Bluekeep
- Hacking Tools Hardware
- Pentest Box Tools Download
- Pentest Tools For Mac
- Hacking Tools Usb
- World No 1 Hacker Software
- Pentest Tools Review
- Nsa Hacker Tools
- Android Hack Tools Github
- Pentest Tools Linux
- What Is Hacking Tools
- Pentest Box Tools Download
- Hacker Tools 2020
- Hack Tools Github
- Hack Tools For Mac
- Tools For Hacker
- Hacking Tools 2020
- Easy Hack Tools
- Pentest Tools Open Source
- Hack Rom Tools
- Pentest Automation Tools
- Hacker Tools For Mac
- Hacker Tools 2019
- Black Hat Hacker Tools
- Hacker Tools Windows
- Hacker Tools Software
- Hack Tool Apk
- Tools 4 Hack
- Hacker Hardware Tools
- Hacker Tools Hardware
- Pentest Tools Windows
- Top Pentest Tools
- Hack Tools 2019
- How To Make Hacking Tools
- Underground Hacker Sites
- Hack Tools For Pc
- Hacking Tools For Mac
- Hack Tools Mac
- Pentest Recon Tools
- Pentest Tools
- Hackrf Tools
- Pentest Tools For Android
- Android Hack Tools Github
- Termux Hacking Tools 2019
- Hacker Tool Kit
- Nsa Hack Tools
- Hacking Tools Name
- Pentest Tools Android
- World No 1 Hacker Software
- Beginner Hacker Tools
- Hacker Tools Hardware
- Hack Tools
- Hacking Tools Windows 10
- Hack Tools For Games
- Pentest Tools Github
- Underground Hacker Sites
- Hack Tool Apk
- Hack Tools Download
- Pentest Tools Free
- Hack Tool Apk No Root
- Kik Hack Tools
- Black Hat Hacker Tools
- Hacker Tools Windows
- Hackrf Tools
- Pentest Box Tools Download
- Hacker Security Tools
- Pentest Tools Apk
- Pentest Tools Nmap
- Hacker Tools Free Download
- Usb Pentest Tools
- Hacking Tools Software
- Hack Tools For Ubuntu
- Hacking Apps
- Hack Tools
- Hacker Tools For Ios
- Hack App
- Hackrf Tools
- Hacker Tools Linux
- Pentest Tools Windows
- Hack Website Online Tool
- Hack Website Online Tool
- Hacking Tools Mac
- Hackers Toolbox
- Hack Tools Mac
- Usb Pentest Tools
- Hacking Tools Github
- Pentest Tools For Mac
- Hacking Tools Kit
- Pentest Tools For Android
- Hack Tools Github
No comments:
Post a Comment