Intro
Most of the web applications I see are kinda binary when it comes to CSRF protection; either they have one implemented using CSRF tokens (and more-or-less covering the different functions of the web application) or there is no protection at all. Usually, it is the latter case. However, from time to time I see application checking the Referer HTTP header.
A couple months ago I had to deal with an application that was checking the Referer as a CSRF prevention mechanism, but when this header was stripped from the request, the CSRF PoC worked. BTW it is common practice to accept empty Referer, mainly to avoid breaking functionality.
A couple months ago I had to deal with an application that was checking the Referer as a CSRF prevention mechanism, but when this header was stripped from the request, the CSRF PoC worked. BTW it is common practice to accept empty Referer, mainly to avoid breaking functionality.
The OWASP Cross-Site Request Forgery (CSRF) Prevention Cheat Sheet tells us that this defense approach is a baaad omen, but finding a universal and simple solution on the Internetz to strip the Referer header took somewhat more time than I expected, so I decided that the stuff that I found might be useful for others too.
Solutions for Referer header strip
Most of the techniques I have found were way too complicated for my taste. For example, when I start reading a blog post from Egor Homakov to find a solution to a problem, I know that I am going to:
Rich Lundeen (aka WebstersProdigy) made an excellent blog post on stripping the Referer header (again, make sure you read that one first before you continue). The HTTPS to HTTP trick is probably the most well-known one, general and easy enough, but it quickly fails the moment you have an application that only runs over HTTPS (this was my case).
The data method is not browser independent but the about:blank trick works well for some simple requests. Unfortunately, in my case the request I had to attack with CSRF was too complex and I wanted to use XMLHttpRequest. He mentions that in theory, there is anonymous flag for CORS, but he could not get it work. I also tried it, but... it did not work for me either.
Krzysztof Kotowicz also wrote a blog post on Referer strip, coming to similar conclusions as Rich Lundeen, mostly using the data method.
Finally, I bumped into Johannes Ullrich's ISC diary on Referer header and that led to me W3C's Referrer Policy. So just to make a dumb little PoC and show that relying on Referer is a not a good idea, you can simply use the "referrer" meta tag (yes, that is two "r"-s there).
The PoC would look something like this:
- learn something very cool;
- have a serious headache from all the new info at the end.
Rich Lundeen (aka WebstersProdigy) made an excellent blog post on stripping the Referer header (again, make sure you read that one first before you continue). The HTTPS to HTTP trick is probably the most well-known one, general and easy enough, but it quickly fails the moment you have an application that only runs over HTTPS (this was my case).
The data method is not browser independent but the about:blank trick works well for some simple requests. Unfortunately, in my case the request I had to attack with CSRF was too complex and I wanted to use XMLHttpRequest. He mentions that in theory, there is anonymous flag for CORS, but he could not get it work. I also tried it, but... it did not work for me either.
Krzysztof Kotowicz also wrote a blog post on Referer strip, coming to similar conclusions as Rich Lundeen, mostly using the data method.
Finally, I bumped into Johannes Ullrich's ISC diary on Referer header and that led to me W3C's Referrer Policy. So just to make a dumb little PoC and show that relying on Referer is a not a good idea, you can simply use the "referrer" meta tag (yes, that is two "r"-s there).
The PoC would look something like this:
<html>
<meta name="referrer" content="never">
<body>
<form action="https://vistimsite.com/function" method="POST">
<input type="hidden" name="param1" value="1" />
<input type="hidden" name="param2" value="2" />
...
</form>
<script>
document.forms[0].submit();
</script>
</body>
</html>
Conclusion
As you can see, there is quite a lot of ways to strip the Referer HTTP header from the request, so it really should not be considered a good defense against CSRF. My preferred way to make is PoC is with the meta tag, but hey, if you got any better solution for this, use the comment field down there and let me know! :)
Related news- Hack Tools 2019
- Pentest Tools Windows
- Hacking Tools Pc
- Pentest Tools Linux
- Hacker Tool Kit
- Hacking Tools For Beginners
- Tools Used For Hacking
- Hack Tools For Ubuntu
- Underground Hacker Sites
- Hacker Security Tools
- Hack App
- What Are Hacking Tools
- Hacking Tools For Windows 7
- Computer Hacker
- Pentest Tools Linux
- Pentest Tools Bluekeep
- Hacker Tools Free
- Hacker Tools Online
- Android Hack Tools Github
- Pentest Tools Tcp Port Scanner
- Tools 4 Hack
- Easy Hack Tools
- Wifi Hacker Tools For Windows
- Pentest Tools Review
- Computer Hacker
- Pentest Tools Review
- Pentest Tools Website
- Pentest Tools Port Scanner
- Pentest Tools Download
- Pentest Tools Bluekeep
- Hacker Tools List
- Install Pentest Tools Ubuntu
- Hacker Techniques Tools And Incident Handling
- Wifi Hacker Tools For Windows
- Pentest Tools Github
- Best Hacking Tools 2020
- Pentest Tools Tcp Port Scanner
- Growth Hacker Tools
- What Is Hacking Tools
- Hacking Tools Download
- Hacking Tools For Windows Free Download
- Pentest Tools Github
- Hacker Security Tools
- Hacking Tools 2019
- Game Hacking
- Wifi Hacker Tools For Windows
- Pentest Automation Tools
- Hacker Tools Online
- Pentest Tools Kali Linux
- Hacker Search Tools
- Hacking Tools Name
- Hacker Tools 2020
- Hack Website Online Tool
- Hack Tools For Pc
- Hackrf Tools
- Pentest Tools
- Hacking Tools Online
- Hacker Tools Apk
- Hacker Security Tools
- Computer Hacker
- Top Pentest Tools
- Hacking Tools For Mac
- Blackhat Hacker Tools
- Hacking Tools Mac
- Hack Website Online Tool
- Hacking Tools Software
- Hacker Tools Hardware
- Hacker Tools
- New Hacker Tools
- Github Hacking Tools
- Pentest Tools Tcp Port Scanner
- Computer Hacker
- Hack Tool Apk
- Ethical Hacker Tools
- Termux Hacking Tools 2019
- Hak5 Tools
- Hacker Search Tools
- Black Hat Hacker Tools
- Hacker Tools For Mac
- Hacking Tools 2020
- Hacker Tools Online
- Hacker Tools Linux
- Pentest Tools List
- Hacker Tools Software
- Hacker Search Tools
- Underground Hacker Sites
- Easy Hack Tools
- Game Hacking
- Physical Pentest Tools
- Hacking Tools Download
- Ethical Hacker Tools
- Hacker Tools Software
- Nsa Hacker Tools
- Hack Tools 2019
- Hacking Tools Software
- Pentest Tools Website Vulnerability
- Hacker Search Tools
- Hacking Tools For Mac
- Bluetooth Hacking Tools Kali
- Pentest Tools Linux
- Hacker Tools Linux
- Pentest Tools Subdomain
- Hacker
No comments:
Post a Comment
Note: Only a member of this blog may post a comment.