Pages

Amazon

Monday, 24 August 2020

CSRF Referer Header Strip

Intro

Most of the web applications I see are kinda binary when it comes to CSRF protection; either they have one implemented using CSRF tokens (and more-or-less covering the different functions of the web application) or there is no protection at all. Usually, it is the latter case. However, from time to time I see application checking the Referer HTTP header.

A couple months ago I had to deal with an application that was checking the Referer as a CSRF prevention mechanism, but when this header was stripped from the request, the CSRF PoC worked. BTW it is common practice to accept empty Referer, mainly to avoid breaking functionality.

The OWASP Cross-Site Request Forgery (CSRF) Prevention Cheat Sheet tells us that this defense approach is a baaad omen, but finding a universal and simple solution on the Internetz to strip the Referer header took somewhat more time than I expected, so I decided that the stuff that I found might be useful for others too.

Solutions for Referer header strip

Most of the techniques I have found were way too complicated for my taste. For example, when I start reading a blog post from Egor Homakov to find a solution to a problem, I know that I am going to:
  1. learn something very cool;
  2. have a serious headache from all the new info at the end.
This blog post from him is a bit lighter and covers some useful theoretical background, so make sure you read that first before you continue reading this post. He shows a few nice tricks to strip the Referer, but I was wondering; maybe there is an easier way?

Rich Lundeen (aka WebstersProdigy) made an excellent blog post on stripping the Referer header (again, make sure you read that one first before you continue). The HTTPS to HTTP trick is probably the most well-known one, general and easy enough, but it quickly fails the moment you have an application that only runs over HTTPS (this was my case).

The data method is not browser independent but the about:blank trick works well for some simple requests. Unfortunately, in my case the request I had to attack with CSRF was too complex and I wanted to use XMLHttpRequest. He mentions that in theory, there is anonymous flag for CORS, but he could not get it work. I also tried it, but... it did not work for me either.

Krzysztof Kotowicz also wrote a blog post on Referer strip, coming to similar conclusions as Rich Lundeen, mostly using the data method.

Finally, I bumped into Johannes Ullrich's ISC diary on Referer header and that led to me W3C's Referrer Policy. So just to make a dumb little PoC and show that relying on Referer is a not a good idea, you can simply use the "referrer" meta tag (yes, that is two "r"-s there).

The PoC would look something like this:
<html>
  <meta name="referrer" content="never">
  <body>
    <form action="https://vistimsite.com/function" method="POST">
      <input type="hidden" name="param1" value="1" />
      <input type="hidden" name="param2" value="2" />
      ...
    </form>
    <script>
      document.forms[0].submit();
    </script>
  </body>
</html>

Conclusion

As you can see, there is quite a lot of ways to strip the Referer HTTP header from the request, so it really should not be considered a good defense against CSRF. My preferred way to make is PoC is with the meta tag, but hey, if you got any better solution for this, use the comment field down there and let me know! :)

More info


  1. Hack App
  2. Nsa Hack Tools Download
  3. Hack Apps
  4. Hacker Tools For Windows
  5. Hacking Apps
  6. Hacking Tools For Kali Linux
  7. Hacking Tools Name
  8. Hacking Tools For Games
  9. Pentest Box Tools Download
  10. Pentest Tools
  11. How To Make Hacking Tools
  12. Hacking Tools Software
  13. Hacker Tools Linux
  14. Hacking Tools 2020
  15. Hacker Tools Github
  16. Hack Tools Online
  17. Hacker Techniques Tools And Incident Handling
  18. Hacker Tools Hardware
  19. Hacking Tools For Kali Linux
  20. Tools For Hacker
  21. Pentest Tools Nmap
  22. Hacking Tools And Software
  23. Best Pentesting Tools 2018
  24. Game Hacking
  25. Pentest Automation Tools
  26. Pentest Tools Nmap
  27. Hacker Search Tools
  28. Hacker Tools Linux
  29. Hacker Tools Mac
  30. Hacking Tools For Beginners
  31. Hack Tools Online
  32. Pentest Tools Review
  33. Hak5 Tools
  34. Tools For Hacker
  35. Hacking Tools Name
  36. Pentest Tools Download
  37. Hacking Tools Free Download
  38. Physical Pentest Tools
  39. Hacking Tools Free Download
  40. Pentest Reporting Tools
  41. Pentest Recon Tools
  42. Android Hack Tools Github
  43. How To Hack
  44. Hacking Tools For Windows Free Download
  45. Hacker Tools List
  46. Pentest Tools For Ubuntu
  47. Hacker Hardware Tools
  48. How To Hack
  49. Pentest Tools Alternative
  50. Underground Hacker Sites
  51. Top Pentest Tools
  52. Nsa Hack Tools Download
  53. Hacking Tools Windows 10
  54. Hacker Tools 2019
  55. Blackhat Hacker Tools
  56. Hacking Tools Name
  57. Hack Tools
  58. Pentest Tools Framework
  59. Pentest Tools Apk
  60. New Hacker Tools
  61. Blackhat Hacker Tools
  62. Pentest Tools Apk
  63. Hacking Tools 2019
  64. Hacks And Tools
  65. Hack Tools Pc
  66. New Hacker Tools
  67. Ethical Hacker Tools
  68. Hacking Tools Pc
  69. Hack Tools For Windows
  70. Hacking Tools For Mac
  71. Hacker Tools Free
  72. Hacker Security Tools
  73. Black Hat Hacker Tools
  74. Nsa Hacker Tools
  75. Github Hacking Tools
  76. Hacking Tools Github
  77. Android Hack Tools Github
  78. Hacking Tools Pc
  79. Hacker Tools For Windows
  80. Pentest Tools Port Scanner
  81. Hacking Tools Windows
  82. Top Pentest Tools
  83. Pentest Tools Nmap
  84. Hacking Tools For Beginners
  85. Wifi Hacker Tools For Windows
  86. Hack Tools
  87. Pentest Tools For Ubuntu
  88. Tools 4 Hack
  89. Tools For Hacker
  90. Pentest Tools Android
  91. Pentest Tools Kali Linux
  92. Pentest Tools List
  93. What Is Hacking Tools
  94. Hack Tools For Ubuntu
  95. Hacker Tools For Ios
  96. Hackers Toolbox
  97. Hack Tools
  98. Hacking Tools For Pc
  99. Pentest Tools Bluekeep
  100. Pentest Tools Apk
  101. Pentest Automation Tools
  102. Hacker Tools Apk
  103. Hack Tools For Pc
  104. Hacking Tools Windows
  105. Hacker Tools Online
  106. Pentest Tools For Windows
  107. Hacking Apps
  108. Termux Hacking Tools 2019
  109. Tools For Hacker
  110. Pentest Tools Linux
  111. Nsa Hacker Tools
  112. Pentest Tools For Android
  113. Growth Hacker Tools
  114. Hacking Tools For Pc
  115. Hack App
  116. Hack Tools Download
  117. Pentest Tools Find Subdomains
  118. Hacking Tools Windows 10
  119. Hacker Tools Apk
  120. Hack Tools For Games
  121. Hacker Security Tools
  122. How To Hack
  123. Hackrf Tools
  124. Pentest Tools Nmap
  125. Pentest Automation Tools
  126. Pentest Tools Nmap
  127. Hack Tools For Windows
  128. Hacker Tool Kit
  129. Hacking Tools Mac
  130. Blackhat Hacker Tools
  131. Hacking Tools Kit
  132. Hacker Tools Windows
  133. Kik Hack Tools
  134. Hacker Search Tools
  135. Pentest Automation Tools
  136. Hacking Tools And Software
  137. Blackhat Hacker Tools
  138. Hacker Tools Apk Download
  139. New Hacker Tools
  140. Github Hacking Tools
  141. Hack Tools Pc
  142. Hacking Tools Github
  143. Hacking Tools For Games
  144. Pentest Tools Apk
  145. Hacking Tools For Windows Free Download
  146. Underground Hacker Sites
  147. Hack Tools
  148. Nsa Hack Tools
  149. Pentest Tools Open Source