Tuesday, August 25, 2020

CSRF Referer Header Strip

Intro

Most of the web applications I see are kinda binary when it comes to CSRF protection; either they have one implemented using CSRF tokens (and more-or-less covering the different functions of the web application) or there is no protection at all. Usually, it is the latter case. However, from time to time I see application checking the Referer HTTP header.

A couple months ago I had to deal with an application that was checking the Referer as a CSRF prevention mechanism, but when this header was stripped from the request, the CSRF PoC worked. BTW it is common practice to accept empty Referer, mainly to avoid breaking functionality.

The OWASP Cross-Site Request Forgery (CSRF) Prevention Cheat Sheet tells us that this defense approach is a baaad omen, but finding a universal and simple solution on the Internetz to strip the Referer header took somewhat more time than I expected, so I decided that the stuff that I found might be useful for others too.

Solutions for Referer header strip

Most of the techniques I have found were way too complicated for my taste. For example, when I start reading a blog post from Egor Homakov to find a solution to a problem, I know that I am going to:
  1. learn something very cool;
  2. have a serious headache from all the new info at the end.
This blog post from him is a bit lighter and covers some useful theoretical background, so make sure you read that first before you continue reading this post. He shows a few nice tricks to strip the Referer, but I was wondering; maybe there is an easier way?

Rich Lundeen (aka WebstersProdigy) made an excellent blog post on stripping the Referer header (again, make sure you read that one first before you continue). The HTTPS to HTTP trick is probably the most well-known one, general and easy enough, but it quickly fails the moment you have an application that only runs over HTTPS (this was my case).

The data method is not browser independent but the about:blank trick works well for some simple requests. Unfortunately, in my case the request I had to attack with CSRF was too complex and I wanted to use XMLHttpRequest. He mentions that in theory, there is anonymous flag for CORS, but he could not get it work. I also tried it, but... it did not work for me either.

Krzysztof Kotowicz also wrote a blog post on Referer strip, coming to similar conclusions as Rich Lundeen, mostly using the data method.

Finally, I bumped into Johannes Ullrich's ISC diary on Referer header and that led to me W3C's Referrer Policy. So just to make a dumb little PoC and show that relying on Referer is a not a good idea, you can simply use the "referrer" meta tag (yes, that is two "r"-s there).

The PoC would look something like this:
<html>
<meta name="referrer" content="never">
<body>
<form action="https://vistimsite.com/function" method="POST">
<input type="hidden" name="param1" value="1" />
<input type="hidden" name="param2" value="2" />
...
</form>
<script>
document.forms[0].submit();
</script>
</body>
</html>

Conclusion

As you can see, there is quite a lot of ways to strip the Referer HTTP header from the request, so it really should not be considered a good defense against CSRF. My preferred way to make is PoC is with the meta tag, but hey, if you got any better solution for this, use the comment field down there and let me know! :)

Related news
  1. Hack Tools 2019
  2. Pentest Tools Windows
  3. Hacking Tools Pc
  4. Pentest Tools Linux
  5. Hacker Tool Kit
  6. Hacking Tools For Beginners
  7. Tools Used For Hacking
  8. Hack Tools For Ubuntu
  9. Underground Hacker Sites
  10. Hacker Security Tools
  11. Hack App
  12. What Are Hacking Tools
  13. Hacking Tools For Windows 7
  14. Computer Hacker
  15. Pentest Tools Linux
  16. Pentest Tools Bluekeep
  17. Hacker Tools Free
  18. Hacker Tools Online
  19. Android Hack Tools Github
  20. Pentest Tools Tcp Port Scanner
  21. Tools 4 Hack
  22. Easy Hack Tools
  23. Wifi Hacker Tools For Windows
  24. Pentest Tools Review
  25. Computer Hacker
  26. Pentest Tools Review
  27. Pentest Tools Website
  28. Pentest Tools Port Scanner
  29. Pentest Tools Download
  30. Pentest Tools Bluekeep
  31. Hacker Tools List
  32. Install Pentest Tools Ubuntu
  33. Hacker Techniques Tools And Incident Handling
  34. Wifi Hacker Tools For Windows
  35. Pentest Tools Github
  36. Best Hacking Tools 2020
  37. Pentest Tools Tcp Port Scanner
  38. Growth Hacker Tools
  39. What Is Hacking Tools
  40. Hacking Tools Download
  41. Hacking Tools For Windows Free Download
  42. Pentest Tools Github
  43. Hacker Security Tools
  44. Hacking Tools 2019
  45. Game Hacking
  46. Wifi Hacker Tools For Windows
  47. Pentest Automation Tools
  48. Hacker Tools Online
  49. Pentest Tools Kali Linux
  50. Hacker Search Tools
  51. Hacking Tools Name
  52. Hacker Tools 2020
  53. Hack Website Online Tool
  54. Hack Tools For Pc
  55. Hackrf Tools
  56. Pentest Tools
  57. Hacking Tools Online
  58. Hacker Tools Apk
  59. Hacker Security Tools
  60. Computer Hacker
  61. Top Pentest Tools
  62. Hacking Tools For Mac
  63. Blackhat Hacker Tools
  64. Hacking Tools Mac
  65. Hack Website Online Tool
  66. Hacking Tools Software
  67. Hacker Tools Hardware
  68. Hacker Tools
  69. New Hacker Tools
  70. Github Hacking Tools
  71. Pentest Tools Tcp Port Scanner
  72. Computer Hacker
  73. Hack Tool Apk
  74. Ethical Hacker Tools
  75. Termux Hacking Tools 2019
  76. Hak5 Tools
  77. Hacker Search Tools
  78. Black Hat Hacker Tools
  79. Hacker Tools For Mac
  80. Hacking Tools 2020
  81. Hacker Tools Online
  82. Hacker Tools Linux
  83. Pentest Tools List
  84. Hacker Tools Software
  85. Hacker Search Tools
  86. Underground Hacker Sites
  87. Easy Hack Tools
  88. Game Hacking
  89. Physical Pentest Tools
  90. Hacking Tools Download
  91. Ethical Hacker Tools
  92. Hacker Tools Software
  93. Nsa Hacker Tools
  94. Hack Tools 2019
  95. Hacking Tools Software
  96. Pentest Tools Website Vulnerability
  97. Hacker Search Tools
  98. Hacking Tools For Mac
  99. Bluetooth Hacking Tools Kali
  100. Pentest Tools Linux
  101. Hacker Tools Linux
  102. Pentest Tools Subdomain
  103. Hacker

No comments:

Post a Comment

Note: Only a member of this blog may post a comment.