Intro
Most of the web applications I see are kinda binary when it comes to CSRF protection; either they have one implemented using CSRF tokens (and more-or-less covering the different functions of the web application) or there is no protection at all. Usually, it is the latter case. However, from time to time I see application checking the Referer HTTP header.
A couple months ago I had to deal with an application that was checking the Referer as a CSRF prevention mechanism, but when this header was stripped from the request, the CSRF PoC worked. BTW it is common practice to accept empty Referer, mainly to avoid breaking functionality.
A couple months ago I had to deal with an application that was checking the Referer as a CSRF prevention mechanism, but when this header was stripped from the request, the CSRF PoC worked. BTW it is common practice to accept empty Referer, mainly to avoid breaking functionality.
The OWASP Cross-Site Request Forgery (CSRF) Prevention Cheat Sheet tells us that this defense approach is a baaad omen, but finding a universal and simple solution on the Internetz to strip the Referer header took somewhat more time than I expected, so I decided that the stuff that I found might be useful for others too.
Solutions for Referer header strip
Most of the techniques I have found were way too complicated for my taste. For example, when I start reading a blog post from Egor Homakov to find a solution to a problem, I know that I am going to:
Rich Lundeen (aka WebstersProdigy) made an excellent blog post on stripping the Referer header (again, make sure you read that one first before you continue). The HTTPS to HTTP trick is probably the most well-known one, general and easy enough, but it quickly fails the moment you have an application that only runs over HTTPS (this was my case).
The data method is not browser independent but the about:blank trick works well for some simple requests. Unfortunately, in my case the request I had to attack with CSRF was too complex and I wanted to use XMLHttpRequest. He mentions that in theory, there is anonymous flag for CORS, but he could not get it work. I also tried it, but... it did not work for me either.
Krzysztof Kotowicz also wrote a blog post on Referer strip, coming to similar conclusions as Rich Lundeen, mostly using the data method.
Finally, I bumped into Johannes Ullrich's ISC diary on Referer header and that led to me W3C's Referrer Policy. So just to make a dumb little PoC and show that relying on Referer is a not a good idea, you can simply use the "referrer" meta tag (yes, that is two "r"-s there).
The PoC would look something like this:
- learn something very cool;
- have a serious headache from all the new info at the end.
Rich Lundeen (aka WebstersProdigy) made an excellent blog post on stripping the Referer header (again, make sure you read that one first before you continue). The HTTPS to HTTP trick is probably the most well-known one, general and easy enough, but it quickly fails the moment you have an application that only runs over HTTPS (this was my case).
The data method is not browser independent but the about:blank trick works well for some simple requests. Unfortunately, in my case the request I had to attack with CSRF was too complex and I wanted to use XMLHttpRequest. He mentions that in theory, there is anonymous flag for CORS, but he could not get it work. I also tried it, but... it did not work for me either.
Krzysztof Kotowicz also wrote a blog post on Referer strip, coming to similar conclusions as Rich Lundeen, mostly using the data method.
Finally, I bumped into Johannes Ullrich's ISC diary on Referer header and that led to me W3C's Referrer Policy. So just to make a dumb little PoC and show that relying on Referer is a not a good idea, you can simply use the "referrer" meta tag (yes, that is two "r"-s there).
The PoC would look something like this:
<html>
<meta name="referrer" content="never">
<body>
<form action="https://vistimsite.com/function" method="POST">
<input type="hidden" name="param1" value="1" />
<input type="hidden" name="param2" value="2" />
...
</form>
<script>
document.forms[0].submit();
</script>
</body>
</html>
Conclusion
As you can see, there is quite a lot of ways to strip the Referer HTTP header from the request, so it really should not be considered a good defense against CSRF. My preferred way to make is PoC is with the meta tag, but hey, if you got any better solution for this, use the comment field down there and let me know! :)
Related links- Hack App
- Pentest Tools Free
- Pentest Tools Kali Linux
- Pentest Tools For Ubuntu
- Github Hacking Tools
- Hak5 Tools
- Hak5 Tools
- Hacking Tools For Windows
- Hacking Tools Pc
- Hack Tools
- Physical Pentest Tools
- Hacking App
- Hacking Tools Mac
- Hacker Techniques Tools And Incident Handling
- Hacking Tools For Windows 7
- Hacker Tools Free
- Hack Website Online Tool
- Hacking Tools And Software
- Hacker Tools
- Hacking Tools For Kali Linux
- Android Hack Tools Github
- Pentest Recon Tools
- Best Hacking Tools 2019
- What Are Hacking Tools
- New Hack Tools
- Hacker Tools List
- Pentest Tools Find Subdomains
- Hack Tools Pc
- Pentest Tools Windows
- Hacking Tools Software
- Hacker Tools Apk
- Hacking Tools
- Hackers Toolbox
- Hack Website Online Tool
- Blackhat Hacker Tools
- Ethical Hacker Tools
- Hack Tools For Pc
- Pentest Tools Kali Linux
- Android Hack Tools Github
- Top Pentest Tools
- Hacking Tools Pc
- Hacking Tools For Beginners
- Best Hacking Tools 2019
- Nsa Hacker Tools
- Underground Hacker Sites
- Termux Hacking Tools 2019
- Pentest Tools Bluekeep
- Hack Tools Mac
- Hack Tools
- Physical Pentest Tools
- Hack Tools 2019
- Pentest Tools Nmap
- Hacker Security Tools
- Hacking Tools 2019
- Bluetooth Hacking Tools Kali
- Blackhat Hacker Tools
- Hacker Tools Windows
- Nsa Hack Tools Download
- Hacker Tools Windows
- Hacker Techniques Tools And Incident Handling
- New Hack Tools
- Hacker
- Computer Hacker
- Hackrf Tools
- Hacking Tools Windows
- Pentest Tools Online
- Hacker Tools Github
- Ethical Hacker Tools
- Hack Apps
- Pentest Tools Subdomain
- Nsa Hack Tools
- New Hacker Tools
- Hacking Tools Kit
- Hack App
- Hacker Tools 2019
- Hacker Tools
- New Hack Tools
- Hack Website Online Tool
- Hacker Tools Apk
- Hacker Search Tools
- Pentest Tools Website Vulnerability
- Hack Tools
- Hacking Tools 2019
- Android Hack Tools Github
- Usb Pentest Tools
- Hacker Tools Free
- Hacker Tools For Pc
- Pentest Tools Android
- Hacking Tools Mac
- Pentest Tools
- Hacker Tools Hardware
- Hack Apps
- Pentest Tools Port Scanner
- Pentest Tools For Mac
- Hacker Tools List
- Nsa Hack Tools Download
- Nsa Hacker Tools
- Pentest Tools Nmap
- Hacking Tools For Games
- Easy Hack Tools
- Growth Hacker Tools
- Hacking Tools Windows 10
- Android Hack Tools Github
- Hak5 Tools
- Pentest Tools Port Scanner
- Hacker Tools Hardware
- Hack Tools
- Pentest Recon Tools
- Hack Tools For Ubuntu
- Pentest Tools Open Source
- Hacking Tools For Beginners
- Hacker Tools Free
- Growth Hacker Tools
- Pentest Tools Apk
- Top Pentest Tools
- Tools For Hacker
- Hacker Tools Hardware
- Hacker Hardware Tools
- Pentest Tools Apk
- Underground Hacker Sites
- Hacker Tools Linux
- Free Pentest Tools For Windows
- Hacker Tools 2020
- Hacks And Tools
- Hacker Tools
- Hack Tools Pc
- Hacking Tools Mac
- Nsa Hacker Tools
- Blackhat Hacker Tools
- Pentest Tools Github
- Hacking Tools Hardware
- World No 1 Hacker Software
- Hack Tools For Pc
- Growth Hacker Tools
- Hack Tools For Pc
- Hackrf Tools
- Hack Tools For Ubuntu
- Hacking Tools Online
- Underground Hacker Sites
- Hackers Toolbox
- Hacking Tools 2019
- Hacker Security Tools
No comments:
Post a Comment