Intro
Most of the web applications I see are kinda binary when it comes to CSRF protection; either they have one implemented using CSRF tokens (and more-or-less covering the different functions of the web application) or there is no protection at all. Usually, it is the latter case. However, from time to time I see application checking the Referer HTTP header.
A couple months ago I had to deal with an application that was checking the Referer as a CSRF prevention mechanism, but when this header was stripped from the request, the CSRF PoC worked. BTW it is common practice to accept empty Referer, mainly to avoid breaking functionality.
A couple months ago I had to deal with an application that was checking the Referer as a CSRF prevention mechanism, but when this header was stripped from the request, the CSRF PoC worked. BTW it is common practice to accept empty Referer, mainly to avoid breaking functionality.
The OWASP Cross-Site Request Forgery (CSRF) Prevention Cheat Sheet tells us that this defense approach is a baaad omen, but finding a universal and simple solution on the Internetz to strip the Referer header took somewhat more time than I expected, so I decided that the stuff that I found might be useful for others too.
Solutions for Referer header strip
Most of the techniques I have found were way too complicated for my taste. For example, when I start reading a blog post from Egor Homakov to find a solution to a problem, I know that I am going to:
Rich Lundeen (aka WebstersProdigy) made an excellent blog post on stripping the Referer header (again, make sure you read that one first before you continue). The HTTPS to HTTP trick is probably the most well-known one, general and easy enough, but it quickly fails the moment you have an application that only runs over HTTPS (this was my case).
The data method is not browser independent but the about:blank trick works well for some simple requests. Unfortunately, in my case the request I had to attack with CSRF was too complex and I wanted to use XMLHttpRequest. He mentions that in theory, there is anonymous flag for CORS, but he could not get it work. I also tried it, but... it did not work for me either.
Krzysztof Kotowicz also wrote a blog post on Referer strip, coming to similar conclusions as Rich Lundeen, mostly using the data method.
Finally, I bumped into Johannes Ullrich's ISC diary on Referer header and that led to me W3C's Referrer Policy. So just to make a dumb little PoC and show that relying on Referer is a not a good idea, you can simply use the "referrer" meta tag (yes, that is two "r"-s there).
The PoC would look something like this:
- learn something very cool;
- have a serious headache from all the new info at the end.
Rich Lundeen (aka WebstersProdigy) made an excellent blog post on stripping the Referer header (again, make sure you read that one first before you continue). The HTTPS to HTTP trick is probably the most well-known one, general and easy enough, but it quickly fails the moment you have an application that only runs over HTTPS (this was my case).
The data method is not browser independent but the about:blank trick works well for some simple requests. Unfortunately, in my case the request I had to attack with CSRF was too complex and I wanted to use XMLHttpRequest. He mentions that in theory, there is anonymous flag for CORS, but he could not get it work. I also tried it, but... it did not work for me either.
Krzysztof Kotowicz also wrote a blog post on Referer strip, coming to similar conclusions as Rich Lundeen, mostly using the data method.
Finally, I bumped into Johannes Ullrich's ISC diary on Referer header and that led to me W3C's Referrer Policy. So just to make a dumb little PoC and show that relying on Referer is a not a good idea, you can simply use the "referrer" meta tag (yes, that is two "r"-s there).
The PoC would look something like this:
<html>
<meta name="referrer" content="never">
<body>
<form action="https://vistimsite.com/function" method="POST">
<input type="hidden" name="param1" value="1" />
<input type="hidden" name="param2" value="2" />
...
</form>
<script>
document.forms[0].submit();
</script>
</body>
</html>
Conclusion
As you can see, there is quite a lot of ways to strip the Referer HTTP header from the request, so it really should not be considered a good defense against CSRF. My preferred way to make is PoC is with the meta tag, but hey, if you got any better solution for this, use the comment field down there and let me know! :)
More info
- Hacking Tools Mac
- Hacker Tools For Pc
- Hacker Tools List
- New Hacker Tools
- Hacker Tools 2020
- Hacking Tools For Windows 7
- Pentest Tools Framework
- Pentest Tools For Mac
- Hacking Tools For Games
- Hacker Tools For Mac
- Growth Hacker Tools
- Blackhat Hacker Tools
- Hacking Tools Download
- How To Make Hacking Tools
- Hack App
- Hacking Tools Online
- Pentest Tools Subdomain
- Pentest Tools Tcp Port Scanner
- Hacking Tools For Kali Linux
- Pentest Tools Android
- Github Hacking Tools
- Hacker Tools Mac
- Hack Tools For Pc
- Pentest Automation Tools
- Pentest Tools Alternative
- How To Make Hacking Tools
- Pentest Tools Nmap
- Pentest Tools Url Fuzzer
- Game Hacking
- Computer Hacker
- Hacker Hardware Tools
- Hacking Tools Free Download
- Hacking Tools
- Pentest Automation Tools
- Hacker Tools Software
- Hackers Toolbox
- Hacking Tools Name
- Underground Hacker Sites
- Hacking Tools For Windows Free Download
- Hacking Tools For Mac
- Hacking Tools Kit
- Pentest Tools Kali Linux
- Pentest Tools Website
- Hacking Tools Windows 10
- Pentest Tools Bluekeep
- Hack Tools For Ubuntu
- Pentest Tools Kali Linux
- Hacking Tools And Software
- Pentest Tools Windows
- Hacking Tools Pc
- Hackrf Tools
- Hack App
- Computer Hacker
- Pentest Tools Tcp Port Scanner
- Hacking Tools Download
- Hacking Tools For Windows
- Pentest Tools Port Scanner
- Hacker Tools List
- Hak5 Tools
- Hacking Tools Software
- Hacker Tools Mac
- Hacking Tools 2019
- Pentest Tools List
- Hacker
- Hacker Hardware Tools
- Termux Hacking Tools 2019
- Pentest Tools
- Hacker Tools Apk Download
- Usb Pentest Tools
- Pentest Automation Tools
- Hacking Apps
- Pentest Tools Android
- Pentest Tools Alternative
- Hacking Apps
- Hacker Tools For Pc
- Pentest Tools Find Subdomains
- Hack Tool Apk No Root
- Hacking Tools Windows
- Pentest Tools Github
- Hacking Tools Mac
- Hacking Tools Kit
- Hack Rom Tools
- Hacking Tools Download
- Pentest Box Tools Download
- Hacking Tools Mac
- Github Hacking Tools
- Usb Pentest Tools
- Hacking Tools Download
- Best Pentesting Tools 2018
- Hackers Toolbox
- Hacking Tools
- Pentest Tools For Mac
- Android Hack Tools Github
- Pentest Tools For Android
- Termux Hacking Tools 2019
- Pentest Automation Tools
- Pentest Tools Website
- Hacker Tools Online
- Bluetooth Hacking Tools Kali
- Hacker Tools Software
- Pentest Automation Tools
- Hack Tool Apk No Root
- Nsa Hack Tools Download
- Install Pentest Tools Ubuntu
- Pentest Tools Url Fuzzer
- Computer Hacker
- Growth Hacker Tools
- Hack Tools
- Pentest Tools Port Scanner
- Android Hack Tools Github
- New Hack Tools
- Hacker Tools Windows
- Termux Hacking Tools 2019
- Termux Hacking Tools 2019
- Pentest Tools Apk
- Pentest Tools Review
- Hack Tools Pc
- Pentest Tools Review
- Computer Hacker
- Hacking Tools Usb
- Hacker Tools 2020
- Hacking Tools
- Hack Tools For Games
- Pentest Tools Website
- Pentest Tools Website Vulnerability
- Pentest Tools Open Source
- Hacking Tools For Windows
- Computer Hacker
- Wifi Hacker Tools For Windows
No comments:
Post a Comment