Pages

Monday, 31 August 2020

CSRF Referer Header Strip

Intro

Most of the web applications I see are kinda binary when it comes to CSRF protection; either they have one implemented using CSRF tokens (and more-or-less covering the different functions of the web application) or there is no protection at all. Usually, it is the latter case. However, from time to time I see application checking the Referer HTTP header.

A couple months ago I had to deal with an application that was checking the Referer as a CSRF prevention mechanism, but when this header was stripped from the request, the CSRF PoC worked. BTW it is common practice to accept empty Referer, mainly to avoid breaking functionality.

The OWASP Cross-Site Request Forgery (CSRF) Prevention Cheat Sheet tells us that this defense approach is a baaad omen, but finding a universal and simple solution on the Internetz to strip the Referer header took somewhat more time than I expected, so I decided that the stuff that I found might be useful for others too.

Solutions for Referer header strip

Most of the techniques I have found were way too complicated for my taste. For example, when I start reading a blog post from Egor Homakov to find a solution to a problem, I know that I am going to:
  1. learn something very cool;
  2. have a serious headache from all the new info at the end.
This blog post from him is a bit lighter and covers some useful theoretical background, so make sure you read that first before you continue reading this post. He shows a few nice tricks to strip the Referer, but I was wondering; maybe there is an easier way?

Rich Lundeen (aka WebstersProdigy) made an excellent blog post on stripping the Referer header (again, make sure you read that one first before you continue). The HTTPS to HTTP trick is probably the most well-known one, general and easy enough, but it quickly fails the moment you have an application that only runs over HTTPS (this was my case).

The data method is not browser independent but the about:blank trick works well for some simple requests. Unfortunately, in my case the request I had to attack with CSRF was too complex and I wanted to use XMLHttpRequest. He mentions that in theory, there is anonymous flag for CORS, but he could not get it work. I also tried it, but... it did not work for me either.

Krzysztof Kotowicz also wrote a blog post on Referer strip, coming to similar conclusions as Rich Lundeen, mostly using the data method.

Finally, I bumped into Johannes Ullrich's ISC diary on Referer header and that led to me W3C's Referrer Policy. So just to make a dumb little PoC and show that relying on Referer is a not a good idea, you can simply use the "referrer" meta tag (yes, that is two "r"-s there).

The PoC would look something like this:
<html>
  <meta name="referrer" content="never">
  <body>
    <form action="https://vistimsite.com/function" method="POST">
      <input type="hidden" name="param1" value="1" />
      <input type="hidden" name="param2" value="2" />
      ...
    </form>
    <script>
      document.forms[0].submit();
    </script>
  </body>
</html>

Conclusion

As you can see, there is quite a lot of ways to strip the Referer HTTP header from the request, so it really should not be considered a good defense against CSRF. My preferred way to make is PoC is with the meta tag, but hey, if you got any better solution for this, use the comment field down there and let me know! :)

More information


  1. Hack Tools 2019
  2. Nsa Hack Tools Download
  3. Hacking Tools Windows
  4. Pentest Tools For Mac
  5. New Hacker Tools
  6. Pentest Tools Review
  7. Hacking Tools For Windows Free Download
  8. Game Hacking
  9. Hack Apps
  10. How To Hack
  11. World No 1 Hacker Software
  12. Easy Hack Tools
  13. Hack Tools 2019
  14. Hacker Tools For Mac
  15. Hacking Tools Windows 10
  16. Hacker Search Tools
  17. Pentest Tools Url Fuzzer
  18. Hacker Tools Github
  19. Hacker Tools
  20. Hacking Tools Name
  21. Hack Tools
  22. Github Hacking Tools
  23. Hacking Tools Windows 10
  24. Usb Pentest Tools
  25. Pentest Tools Alternative
  26. Hacking Tools Mac
  27. Top Pentest Tools
  28. Hack Tools Github
  29. Hacking Tools
  30. Pentest Tools Download
  31. Hacking Tools For Beginners
  32. Hacking Tools Windows 10
  33. Pentest Tools Website
  34. Hack Tools
  35. Hacker Tools Software
  36. Pentest Tools Website Vulnerability
  37. New Hack Tools
  38. New Hack Tools
  39. Top Pentest Tools
  40. Pentest Tools Website Vulnerability
  41. Hacking Tools Windows
  42. Nsa Hacker Tools
  43. Hacking App
  44. Hackers Toolbox
  45. Termux Hacking Tools 2019
  46. Pentest Tools Alternative
  47. Top Pentest Tools
  48. Hacking Tools Windows
  49. Hacking Tools Pc
  50. Pentest Tools For Mac
  51. Underground Hacker Sites
  52. Easy Hack Tools
  53. Kik Hack Tools
  54. Hack Tools Online
  55. Hacking Tools Free Download
  56. Hacker Tools Hardware
  57. Hacking Tools For Mac
  58. Hacker Tools Linux
  59. Pentest Tools Android
  60. Termux Hacking Tools 2019
  61. Pentest Tools Open Source
  62. Pentest Tools List
  63. Hacker
  64. Black Hat Hacker Tools
  65. Best Hacking Tools 2019
  66. Hacking Tools For Beginners
  67. Hacking Tools Kit
  68. What Are Hacking Tools
  69. Black Hat Hacker Tools
  70. Hacking Tools For Pc
  71. Hacker Tools Windows
  72. Hacking Tools Windows
  73. Hack Rom Tools
  74. Tools 4 Hack
  75. Hackrf Tools
  76. Hacking Tools Pc
  77. Top Pentest Tools
  78. Hacker Tools For Ios
  79. Hacker Tools Hardware
  80. Beginner Hacker Tools
  81. Pentest Tools Website
  82. Hack Tool Apk No Root
  83. Hacking Tools Name
  84. Beginner Hacker Tools
  85. How To Hack
  86. Termux Hacking Tools 2019
  87. Pentest Tools Windows
  88. Termux Hacking Tools 2019
  89. Pentest Tools Alternative
  90. Hacking Tools Windows 10
  91. Pentest Tools List
  92. Hacker Tools List
  93. Hacking Apps
  94. Pentest Tools For Mac
  95. Hack Tool Apk No Root
  96. Hacking Tools For Mac
  97. Pentest Tools Github
  98. Hak5 Tools
  99. Hacker
  100. Hack Tool Apk No Root
  101. Install Pentest Tools Ubuntu
  102. Hacking Tools Online
  103. Pentest Tools Android
  104. Best Hacking Tools 2019
  105. Hacker Tools For Ios
  106. How To Hack
  107. Hacker Search Tools
  108. Tools Used For Hacking
  109. Tools For Hacker
  110. Hacker Tools Mac
  111. Hacker Tools Free Download
  112. Nsa Hack Tools
  113. Pentest Tools Website Vulnerability
  114. Hacker Tools Apk
  115. Hacking Tools For Beginners
  116. Easy Hack Tools
  117. Hack And Tools
  118. What Is Hacking Tools
  119. Hacking Tools Download
  120. Pentest Automation Tools
  121. Hacker Search Tools
  122. Hacking Tools For Beginners
  123. Hacking Tools And Software
  124. Pentest Tools Alternative
  125. Black Hat Hacker Tools
  126. Hack Apps
  127. Growth Hacker Tools
  128. Hack Tool Apk No Root
  129. Hacker Hardware Tools
  130. Hacking Tools Mac
  131. Pentest Tools Github
  132. Wifi Hacker Tools For Windows
  133. Hack Tools Mac
  134. Hackers Toolbox
  135. Pentest Tools Github
  136. Pentest Tools For Mac
  137. Growth Hacker Tools
  138. Nsa Hack Tools
  139. Hacking Tools Github
  140. Pentest Tools Apk
  141. Hacking Tools 2019
  142. Pentest Tools Port Scanner
Posted by at

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)