Powered by Blogger.

Friday, August 28, 2020

CSRF Referer Header Strip

Intro

Most of the web applications I see are kinda binary when it comes to CSRF protection; either they have one implemented using CSRF tokens (and more-or-less covering the different functions of the web application) or there is no protection at all. Usually, it is the latter case. However, from time to time I see application checking the Referer HTTP header.

A couple months ago I had to deal with an application that was checking the Referer as a CSRF prevention mechanism, but when this header was stripped from the request, the CSRF PoC worked. BTW it is common practice to accept empty Referer, mainly to avoid breaking functionality.

The OWASP Cross-Site Request Forgery (CSRF) Prevention Cheat Sheet tells us that this defense approach is a baaad omen, but finding a universal and simple solution on the Internetz to strip the Referer header took somewhat more time than I expected, so I decided that the stuff that I found might be useful for others too.

Solutions for Referer header strip

Most of the techniques I have found were way too complicated for my taste. For example, when I start reading a blog post from Egor Homakov to find a solution to a problem, I know that I am going to:
  1. learn something very cool;
  2. have a serious headache from all the new info at the end.
This blog post from him is a bit lighter and covers some useful theoretical background, so make sure you read that first before you continue reading this post. He shows a few nice tricks to strip the Referer, but I was wondering; maybe there is an easier way?

Rich Lundeen (aka WebstersProdigy) made an excellent blog post on stripping the Referer header (again, make sure you read that one first before you continue). The HTTPS to HTTP trick is probably the most well-known one, general and easy enough, but it quickly fails the moment you have an application that only runs over HTTPS (this was my case).

The data method is not browser independent but the about:blank trick works well for some simple requests. Unfortunately, in my case the request I had to attack with CSRF was too complex and I wanted to use XMLHttpRequest. He mentions that in theory, there is anonymous flag for CORS, but he could not get it work. I also tried it, but... it did not work for me either.

Krzysztof Kotowicz also wrote a blog post on Referer strip, coming to similar conclusions as Rich Lundeen, mostly using the data method.

Finally, I bumped into Johannes Ullrich's ISC diary on Referer header and that led to me W3C's Referrer Policy. So just to make a dumb little PoC and show that relying on Referer is a not a good idea, you can simply use the "referrer" meta tag (yes, that is two "r"-s there).

The PoC would look something like this:
<html>
  <meta name="referrer" content="never">
  <body>
    <form action="https://vistimsite.com/function" method="POST">
      <input type="hidden" name="param1" value="1" />
      <input type="hidden" name="param2" value="2" />
      ...
    </form>
    <script>
      document.forms[0].submit();
    </script>
  </body>
</html>

Conclusion

As you can see, there is quite a lot of ways to strip the Referer HTTP header from the request, so it really should not be considered a good defense against CSRF. My preferred way to make is PoC is with the meta tag, but hey, if you got any better solution for this, use the comment field down there and let me know! :)

More information


  1. Pentest Recon Tools
  2. Pentest Tools Tcp Port Scanner
  3. Hacking Tools Mac
  4. Hack Rom Tools
  5. Wifi Hacker Tools For Windows
  6. Hacking App
  7. Growth Hacker Tools
  8. Pentest Tools Apk
  9. Hacking Apps
  10. Hackrf Tools
  11. Pentest Tools Review
  12. Pentest Tools Subdomain
  13. Pentest Tools Apk
  14. Pentest Reporting Tools
  15. Hacker Tools 2020
  16. Pentest Tools Review
  17. Hacking Tools Name
  18. Hacking Apps
  19. How To Install Pentest Tools In Ubuntu
  20. Physical Pentest Tools
  21. Hack App
  22. How To Install Pentest Tools In Ubuntu
  23. Hacking Apps
  24. Pentest Tools Website
  25. How To Install Pentest Tools In Ubuntu
  26. Hacker Tools 2019
  27. Hacker Tools For Mac
  28. Pentest Tools Download
  29. Hacker Tools Online
  30. Hacker Tools For Windows
  31. Hacker Tools Free
  32. Nsa Hack Tools
  33. Hacker Tools 2020
  34. World No 1 Hacker Software
  35. Game Hacking
  36. Hacking Tools For Kali Linux
  37. Growth Hacker Tools
  38. Hacking Tools For Kali Linux
  39. Easy Hack Tools
  40. Pentest Tools Subdomain
  41. Kik Hack Tools
  42. Hacker Tools Github
  43. Github Hacking Tools
  44. Best Pentesting Tools 2018
  45. Hacker Tools Hardware
  46. Hack Website Online Tool
  47. Best Hacking Tools 2019
  48. Hak5 Tools
  49. Hacker Tools Free
  50. Hacking Tools For Kali Linux
  51. Hacking Tools For Pc
  52. Pentest Reporting Tools
  53. Hack Tools Download
  54. Hacking Tools Windows 10
  55. Pentest Tools List
  56. Pentest Tools Port Scanner
  57. Hack Tools For Ubuntu
  58. Hackrf Tools
  59. New Hack Tools
  60. Hack Website Online Tool
  61. Hacker Tools Hardware
  62. Computer Hacker
  63. Pentest Tools Online
  64. Hacker Tools
  65. Pentest Tools Url Fuzzer
  66. Pentest Tools Free
  67. Hacking Tools For Pc
  68. Hacking Tools 2020
  69. Pentest Tools Tcp Port Scanner
  70. Hacking Tools Windows 10
  71. Hacker Tools Apk
  72. Ethical Hacker Tools
  73. Pentest Tools Framework
  74. Nsa Hack Tools
  75. Best Pentesting Tools 2018
  76. Hack App
  77. How To Install Pentest Tools In Ubuntu
  78. Pentest Recon Tools
  79. Pentest Tools Free
  80. Hacker Tools For Windows
  81. Blackhat Hacker Tools
  82. Pentest Tools Nmap
  83. Hack Tools Online
  84. Android Hack Tools Github
  85. Hack Tool Apk
  86. Hacking Tools For Windows Free Download
  87. Pentest Tools Kali Linux
  88. Hacker Tools Free Download
  89. Hacker Tools Online
  90. Hacking Tools Free Download
  91. Pentest Tools For Ubuntu
  92. Game Hacking
  93. Hacker Tools
  94. Hacking Tools 2019
  95. Pentest Tools Android
  96. Hacking Tools Hardware
  97. Hacker Tools Hardware
  98. Hacking Tools Software
  99. World No 1 Hacker Software
  100. Hacking Tools 2019
  101. Hacker Tools Online
  102. Hacking Tools And Software
  103. Pentest Tools For Windows
  104. Hack Website Online Tool
  105. Pentest Automation Tools
  106. Pentest Tools Website Vulnerability
  107. Tools For Hacker
  108. Easy Hack Tools
  109. Hack Tools Download
  110. Hack App
  111. Hacker Tools Windows
  112. Pentest Tools Online
  113. Hack Tools For Ubuntu
  114. Pentest Tools Online
  115. Hacker Tools List
  116. Pentest Tools Port Scanner
  117. Hack Tools For Mac
  118. Pentest Tools Url Fuzzer
F1 Shirt +60103425700 at

0 comments:

Post a Comment

 
Twitter Facebook Dribbble Tumblr Last FM Flickr Behance