Intro
Most of the web applications I see are kinda binary when it comes to CSRF protection; either they have one implemented using CSRF tokens (and more-or-less covering the different functions of the web application) or there is no protection at all. Usually, it is the latter case. However, from time to time I see application checking the Referer HTTP header.
A couple months ago I had to deal with an application that was checking the Referer as a CSRF prevention mechanism, but when this header was stripped from the request, the CSRF PoC worked. BTW it is common practice to accept empty Referer, mainly to avoid breaking functionality.
A couple months ago I had to deal with an application that was checking the Referer as a CSRF prevention mechanism, but when this header was stripped from the request, the CSRF PoC worked. BTW it is common practice to accept empty Referer, mainly to avoid breaking functionality.
The OWASP Cross-Site Request Forgery (CSRF) Prevention Cheat Sheet tells us that this defense approach is a baaad omen, but finding a universal and simple solution on the Internetz to strip the Referer header took somewhat more time than I expected, so I decided that the stuff that I found might be useful for others too.
Solutions for Referer header strip
Most of the techniques I have found were way too complicated for my taste. For example, when I start reading a blog post from Egor Homakov to find a solution to a problem, I know that I am going to:
Rich Lundeen (aka WebstersProdigy) made an excellent blog post on stripping the Referer header (again, make sure you read that one first before you continue). The HTTPS to HTTP trick is probably the most well-known one, general and easy enough, but it quickly fails the moment you have an application that only runs over HTTPS (this was my case).
The data method is not browser independent but the about:blank trick works well for some simple requests. Unfortunately, in my case the request I had to attack with CSRF was too complex and I wanted to use XMLHttpRequest. He mentions that in theory, there is anonymous flag for CORS, but he could not get it work. I also tried it, but... it did not work for me either.
Krzysztof Kotowicz also wrote a blog post on Referer strip, coming to similar conclusions as Rich Lundeen, mostly using the data method.
Finally, I bumped into Johannes Ullrich's ISC diary on Referer header and that led to me W3C's Referrer Policy. So just to make a dumb little PoC and show that relying on Referer is a not a good idea, you can simply use the "referrer" meta tag (yes, that is two "r"-s there).
The PoC would look something like this:
- learn something very cool;
- have a serious headache from all the new info at the end.
Rich Lundeen (aka WebstersProdigy) made an excellent blog post on stripping the Referer header (again, make sure you read that one first before you continue). The HTTPS to HTTP trick is probably the most well-known one, general and easy enough, but it quickly fails the moment you have an application that only runs over HTTPS (this was my case).
The data method is not browser independent but the about:blank trick works well for some simple requests. Unfortunately, in my case the request I had to attack with CSRF was too complex and I wanted to use XMLHttpRequest. He mentions that in theory, there is anonymous flag for CORS, but he could not get it work. I also tried it, but... it did not work for me either.
Krzysztof Kotowicz also wrote a blog post on Referer strip, coming to similar conclusions as Rich Lundeen, mostly using the data method.
Finally, I bumped into Johannes Ullrich's ISC diary on Referer header and that led to me W3C's Referrer Policy. So just to make a dumb little PoC and show that relying on Referer is a not a good idea, you can simply use the "referrer" meta tag (yes, that is two "r"-s there).
The PoC would look something like this:
<html>
<meta name="referrer" content="never">
<body>
<form action="https://vistimsite.com/function" method="POST">
<input type="hidden" name="param1" value="1" />
<input type="hidden" name="param2" value="2" />
...
</form>
<script>
document.forms[0].submit();
</script>
</body>
</html>
Conclusion
As you can see, there is quite a lot of ways to strip the Referer HTTP header from the request, so it really should not be considered a good defense against CSRF. My preferred way to make is PoC is with the meta tag, but hey, if you got any better solution for this, use the comment field down there and let me know! :)
More info- Hack Tools 2019
- What Are Hacking Tools
- Hacking Tools Name
- Pentest Tools Port Scanner
- Pentest Box Tools Download
- Hacker Tools Apk
- Install Pentest Tools Ubuntu
- Tools Used For Hacking
- Hacker Tools Apk
- Physical Pentest Tools
- How To Install Pentest Tools In Ubuntu
- Hacking Tools For Windows Free Download
- Hacker Tools List
- Hacking Tools Hardware
- Hacking Tools For Games
- Hacker Tools Linux
- Usb Pentest Tools
- Game Hacking
- Hacker Tools Hardware
- Hacking Tools For Games
- Beginner Hacker Tools
- Install Pentest Tools Ubuntu
- Hacking Tools Pc
- Hacker Tools For Windows
- Hacker Tools List
- Hackers Toolbox
- Hack Tools For Windows
- Hack Apps
- Pentest Tools Website
- Wifi Hacker Tools For Windows
- Pentest Tools Apk
- Install Pentest Tools Ubuntu
- Hacking Tools Download
- Pentest Tools For Windows
- Hack Tools For Mac
- Physical Pentest Tools
- Pentest Recon Tools
- Hacker Tools
- Wifi Hacker Tools For Windows
- Pentest Tools Alternative
- Nsa Hack Tools
- Pentest Tools Open Source
- Pentest Tools For Ubuntu
- Pentest Tools Download
- Termux Hacking Tools 2019
- Pentest Tools Url Fuzzer
- Pentest Tools Alternative
- Hacking Tools Windows
- Tools For Hacker
- Hacker Tools
- What Is Hacking Tools
- Pentest Box Tools Download
- Usb Pentest Tools
- Hacker Tool Kit
- Nsa Hack Tools
- Pentest Tools Online
- Pentest Tools Android
- Hacking Tools Kit
- Hackers Toolbox
- Hacking Tools For Pc
- Pentest Tools Website Vulnerability
- Hacker Tools 2020
- Pentest Tools Port Scanner
- Hack Tools
- Hack Tools For Ubuntu
- Tools Used For Hacking
- Hacking Tools Download
- Hacking Tools Online
- Hacking Tools Online
- Hacker Tools Hardware
- Pentest Automation Tools
- Hacker Tools Free Download
- Pentest Tools For Windows
- Usb Pentest Tools
- Hacking Tools And Software
- Pentest Tools
- Hack Apps
- Pentest Tools Subdomain
- Pentest Tools Tcp Port Scanner
- Hacker Tools Hardware
- Hacking Tools For Beginners
- Hack App
- Pentest Tools Port Scanner
- Pentest Tools For Android
- Hack Apps
- Termux Hacking Tools 2019
- How To Hack
- Ethical Hacker Tools
- Hacker Tool Kit
- Pentest Tools Url Fuzzer
- Game Hacking
- Ethical Hacker Tools
- Pentest Tools Open Source
- Hacking Tools 2019
- Hacker Tools Free
- Hacker Tools Linux
- Hack Tool Apk No Root
- How To Make Hacking Tools
- Tools Used For Hacking
- Hack Tools Download
- Best Hacking Tools 2020
- Pentest Tools Windows
- Hacking Tools 2020
- Hacking Tools And Software
- Kik Hack Tools
- Pentest Recon Tools
- Pentest Tools Github
- Pentest Tools For Ubuntu
- Pentest Tools For Mac
- Pentest Recon Tools
- Growth Hacker Tools
- Pentest Tools Nmap
- Pentest Tools Bluekeep
- Hack Tools For Windows
- Hacking Tools Name
- Pentest Tools Linux
- Pentest Tools For Windows
- Tools 4 Hack
- Hack Tools
- Hacking Tools Online
- Pentest Tools Website
- Pentest Tools Linux
- Computer Hacker
- Hack Tool Apk
- Hacking Tools For Windows Free Download
- Top Pentest Tools
- Hacker Tools Windows
- World No 1 Hacker Software
- Pentest Tools Nmap
- Wifi Hacker Tools For Windows
- Hack Tool Apk
- Hacking Tools 2019
- Hacker Security Tools
- Hacking Tools Windows
- Pentest Tools Bluekeep
- Hacker Tools Windows
- Hacker Tools
- Hacker Tools Software
- Termux Hacking Tools 2019
- Hack Tools For Windows
- Pentest Tools For Ubuntu
- Pentest Tools Android
- Hacker Search Tools
- Hacking Tools Download
- Pentest Tools Linux
No comments:
Post a Comment