8/25/20

CSRF Referer Header Strip

Intro

Most of the web applications I see are kinda binary when it comes to CSRF protection; either they have one implemented using CSRF tokens (and more-or-less covering the different functions of the web application) or there is no protection at all. Usually, it is the latter case. However, from time to time I see application checking the Referer HTTP header.

A couple months ago I had to deal with an application that was checking the Referer as a CSRF prevention mechanism, but when this header was stripped from the request, the CSRF PoC worked. BTW it is common practice to accept empty Referer, mainly to avoid breaking functionality.

The OWASP Cross-Site Request Forgery (CSRF) Prevention Cheat Sheet tells us that this defense approach is a baaad omen, but finding a universal and simple solution on the Internetz to strip the Referer header took somewhat more time than I expected, so I decided that the stuff that I found might be useful for others too.

Solutions for Referer header strip

Most of the techniques I have found were way too complicated for my taste. For example, when I start reading a blog post from Egor Homakov to find a solution to a problem, I know that I am going to:
  1. learn something very cool;
  2. have a serious headache from all the new info at the end.
This blog post from him is a bit lighter and covers some useful theoretical background, so make sure you read that first before you continue reading this post. He shows a few nice tricks to strip the Referer, but I was wondering; maybe there is an easier way?

Rich Lundeen (aka WebstersProdigy) made an excellent blog post on stripping the Referer header (again, make sure you read that one first before you continue). The HTTPS to HTTP trick is probably the most well-known one, general and easy enough, but it quickly fails the moment you have an application that only runs over HTTPS (this was my case).

The data method is not browser independent but the about:blank trick works well for some simple requests. Unfortunately, in my case the request I had to attack with CSRF was too complex and I wanted to use XMLHttpRequest. He mentions that in theory, there is anonymous flag for CORS, but he could not get it work. I also tried it, but... it did not work for me either.

Krzysztof Kotowicz also wrote a blog post on Referer strip, coming to similar conclusions as Rich Lundeen, mostly using the data method.

Finally, I bumped into Johannes Ullrich's ISC diary on Referer header and that led to me W3C's Referrer Policy. So just to make a dumb little PoC and show that relying on Referer is a not a good idea, you can simply use the "referrer" meta tag (yes, that is two "r"-s there).

The PoC would look something like this:
<html>
<meta name="referrer" content="never">
<body>
<form action="https://vistimsite.com/function" method="POST">
<input type="hidden" name="param1" value="1" />
<input type="hidden" name="param2" value="2" />
...
</form>
<script>
document.forms[0].submit();
</script>
</body>
</html>

Conclusion

As you can see, there is quite a lot of ways to strip the Referer HTTP header from the request, so it really should not be considered a good defense against CSRF. My preferred way to make is PoC is with the meta tag, but hey, if you got any better solution for this, use the comment field down there and let me know! :)

Related links
  1. Hack App
  2. Pentest Tools Free
  3. Pentest Tools Kali Linux
  4. Pentest Tools For Ubuntu
  5. Github Hacking Tools
  6. Hak5 Tools
  7. Hak5 Tools
  8. Hacking Tools For Windows
  9. Hacking Tools Pc
  10. Hack Tools
  11. Physical Pentest Tools
  12. Hacking App
  13. Hacking Tools Mac
  14. Hacker Techniques Tools And Incident Handling
  15. Hacking Tools For Windows 7
  16. Hacker Tools Free
  17. Hack Website Online Tool
  18. Hacking Tools And Software
  19. Hacker Tools
  20. Hacking Tools For Kali Linux
  21. Android Hack Tools Github
  22. Pentest Recon Tools
  23. Best Hacking Tools 2019
  24. What Are Hacking Tools
  25. New Hack Tools
  26. Hacker Tools List
  27. Pentest Tools Find Subdomains
  28. Hack Tools Pc
  29. Pentest Tools Windows
  30. Hacking Tools Software
  31. Hacker Tools Apk
  32. Hacking Tools
  33. Hackers Toolbox
  34. Hack Website Online Tool
  35. Blackhat Hacker Tools
  36. Ethical Hacker Tools
  37. Hack Tools For Pc
  38. Pentest Tools Kali Linux
  39. Android Hack Tools Github
  40. Top Pentest Tools
  41. Hacking Tools Pc
  42. Hacking Tools For Beginners
  43. Best Hacking Tools 2019
  44. Nsa Hacker Tools
  45. Underground Hacker Sites
  46. Termux Hacking Tools 2019
  47. Pentest Tools Bluekeep
  48. Hack Tools Mac
  49. Hack Tools
  50. Physical Pentest Tools
  51. Hack Tools 2019
  52. Pentest Tools Nmap
  53. Hacker Security Tools
  54. Hacking Tools 2019
  55. Bluetooth Hacking Tools Kali
  56. Blackhat Hacker Tools
  57. Hacker Tools Windows
  58. Nsa Hack Tools Download
  59. Hacker Tools Windows
  60. Hacker Techniques Tools And Incident Handling
  61. New Hack Tools
  62. Hacker
  63. Computer Hacker
  64. Hackrf Tools
  65. Hacking Tools Windows
  66. Pentest Tools Online
  67. Hacker Tools Github
  68. Ethical Hacker Tools
  69. Hack Apps
  70. Pentest Tools Subdomain
  71. Nsa Hack Tools
  72. New Hacker Tools
  73. Hacking Tools Kit
  74. Hack App
  75. Hacker Tools 2019
  76. Hacker Tools
  77. New Hack Tools
  78. Hack Website Online Tool
  79. Hacker Tools Apk
  80. Hacker Search Tools
  81. Pentest Tools Website Vulnerability
  82. Hack Tools
  83. Hacking Tools 2019
  84. Android Hack Tools Github
  85. Usb Pentest Tools
  86. Hacker Tools Free
  87. Hacker Tools For Pc
  88. Pentest Tools Android
  89. Hacking Tools Mac
  90. Pentest Tools
  91. Hacker Tools Hardware
  92. Hack Apps
  93. Pentest Tools Port Scanner
  94. Pentest Tools For Mac
  95. Hacker Tools List
  96. Nsa Hack Tools Download
  97. Nsa Hacker Tools
  98. Pentest Tools Nmap
  99. Hacking Tools For Games
  100. Easy Hack Tools
  101. Growth Hacker Tools
  102. Hacking Tools Windows 10
  103. Android Hack Tools Github
  104. Hak5 Tools
  105. Pentest Tools Port Scanner
  106. Hacker Tools Hardware
  107. Hack Tools
  108. Pentest Recon Tools
  109. Hack Tools For Ubuntu
  110. Pentest Tools Open Source
  111. Hacking Tools For Beginners
  112. Hacker Tools Free
  113. Growth Hacker Tools
  114. Pentest Tools Apk
  115. Top Pentest Tools
  116. Tools For Hacker
  117. Hacker Tools Hardware
  118. Hacker Hardware Tools
  119. Pentest Tools Apk
  120. Underground Hacker Sites
  121. Hacker Tools Linux
  122. Free Pentest Tools For Windows
  123. Hacker Tools 2020
  124. Hacks And Tools
  125. Hacker Tools
  126. Hack Tools Pc
  127. Hacking Tools Mac
  128. Nsa Hacker Tools
  129. Blackhat Hacker Tools
  130. Pentest Tools Github
  131. Hacking Tools Hardware
  132. World No 1 Hacker Software
  133. Hack Tools For Pc
  134. Growth Hacker Tools
  135. Hack Tools For Pc
  136. Hackrf Tools
  137. Hack Tools For Ubuntu
  138. Hacking Tools Online
  139. Underground Hacker Sites
  140. Hackers Toolbox
  141. Hacking Tools 2019
  142. Hacker Security Tools

No comments:

Post a Comment