CSRF Referer Header Strip

Intro

Most of the web applications I see are kinda binary when it comes to CSRF protection; either they have one implemented using CSRF tokens (and more-or-less covering the different functions of the web application) or there is no protection at all. Usually, it is the latter case. However, from time to time I see application checking the Referer HTTP header.

A couple months ago I had to deal with an application that was checking the Referer as a CSRF prevention mechanism, but when this header was stripped from the request, the CSRF PoC worked. BTW it is common practice to accept empty Referer, mainly to avoid breaking functionality.

The OWASP Cross-Site Request Forgery (CSRF) Prevention Cheat Sheet tells us that this defense approach is a baaad omen, but finding a universal and simple solution on the Internetz to strip the Referer header took somewhat more time than I expected, so I decided that the stuff that I found might be useful for others too.

Solutions for Referer header strip

Most of the techniques I have found were way too complicated for my taste. For example, when I start reading a blog post from Egor Homakov to find a solution to a problem, I know that I am going to:

1. learn something very cool;
2. have a serious headache from all the new info at the end.

This blog post from him is a bit lighter and covers some useful theoretical background, so make sure you read that first before you continue reading this post. He shows a few nice tricks to strip the Referer, but I was wondering; maybe there is an easier way?

Rich Lundeen (aka WebstersProdigy) made an excellent blog post on stripping the Referer header (again, make sure you read that one first before you continue). The HTTPS to HTTP trick is probably the most well-known one, general and easy enough, but it quickly fails the moment you have an application that only runs over HTTPS (this was my case).

The data method is not browser independent but the about:blank trick works well for some simple requests. Unfortunately, in my case the request I had to attack with CSRF was too complex and I wanted to use XMLHttpRequest. He mentions that in theory, there is anonymous flag for CORS, but he could not get it work. I also tried it, but... it did not work for me either.

Krzysztof Kotowicz also wrote a blog post on Referer strip, coming to similar conclusions as Rich Lundeen, mostly using the data method.

Finally, I bumped into Johannes Ullrich's ISC diary on Referer header and that led to me W3C's Referrer Policy. So just to make a dumb little PoC and show that relying on Referer is a not a good idea, you can simply use the "referrer" meta tag (yes, that is two "r"-s there).

The PoC would look something like this:

<html>
  <meta name="referrer" content="never">
  <body>
    <form action="https://vistimsite.com/function" method="POST">
      <input type="hidden" name="param1" value="1" />
      <input type="hidden" name="param2" value="2" />
      ...
    </form>
    <script>
      document.forms[0].submit();
    </script>
  </body>
</html>

Conclusion

As you can see, there is quite a lot of ways to strip the Referer HTTP header from the request, so it really should not be considered a good defense against CSRF. My preferred way to make is PoC is with the meta tag, but hey, if you got any better solution for this, use the comment field down there and let me know! :)

Read more

1. Hacker
2. Beginner Hacker Tools
3. Hack And Tools
4. Hacking Tools For Windows 7
5. Computer Hacker
6. Hacks And Tools
7. Pentest Tools Review
8. Hacker Tools 2020
9. Pentest Tools For Mac
10. Hacker Tools Mac
11. Hacking Tools And Software
12. Pentest Reporting Tools
13. Hacker Tools Mac
14. Hacking Tools
15. Hacking Tools 2019
16. Best Pentesting Tools 2018
17. Hacking Tools For Windows
18. Hacking Tools Windows
19. Hacking Tools Name
20. Hacker Tools Github
21. Hacker Tools 2020
22. Android Hack Tools Github
23. How To Hack
24. Physical Pentest Tools
25. Install Pentest Tools Ubuntu
26. Hacker Security Tools
27. How To Install Pentest Tools In Ubuntu
28. Hack Tools Mac
29. Hacker Tools Hardware
30. Pentest Automation Tools
31. Pentest Tools For Windows
32. Hacking Tools Hardware
33. Hack Tools For Pc
34. Pentest Tools For Android
35. What Is Hacking Tools
36. Hacker Tools Apk Download
37. Pentest Recon Tools
38. Pentest Tools Android
39. Hack App
40. How To Make Hacking Tools
41. Nsa Hack Tools Download
42. Pentest Tools Find Subdomains
43. Hacking Apps
44. Pentest Tools For Android
45. Hack Tools For Games
46. Hacker Security Tools
47. Hacking Tools For Mac
48. Usb Pentest Tools
49. Hacker Tools Online
50. Hack Tools
51. Hack Tools Pc
52. Hacking Tools Windows
53. Hacker Tools For Windows
54. Pentest Tools Download
55. Hacker Tools 2020
56. Pentest Tools Alternative
57. Hacking Tools Windows 10
58. Pentest Tools Find Subdomains
59. Easy Hack Tools
60. Hacking Tools Windows
61. Hacker Tools Linux
62. Hacking Tools Online
63. Hacker Tools Hardware
64. Ethical Hacker Tools
65. Hacking Tools Usb
66. Pentest Recon Tools
67. Hack Tools For Pc
68. Android Hack Tools Github
69. Hacker Tools Software
70. How To Install Pentest Tools In Ubuntu
71. Pentest Tools Tcp Port Scanner
72. Hacking Tools For Windows Free Download
73. Pentest Tools Tcp Port Scanner
74. Hacker Tools Online
75. Nsa Hacker Tools
76. Hack Website Online Tool
77. Beginner Hacker Tools
78. Nsa Hacker Tools
79. Hacking Tools Free Download
80. How To Install Pentest Tools In Ubuntu
81. Hacker Tools 2019
82. Pentest Tools List
83. Hacker Security Tools
84. Tools For Hacker
85. Hacking Tools Hardware
86. Pentest Tools Bluekeep
87. Android Hack Tools Github
88. Free Pentest Tools For Windows
89. New Hack Tools
90. What Are Hacking Tools
91. Hacking Tools Software
92. Hacker Tools List
93. Hacking Tools Pc
94. Pentest Tools Tcp Port Scanner
95. Hacker Tools Github
96. Install Pentest Tools Ubuntu
97. Free Pentest Tools For Windows
98. Hacker Tools Mac
99. How To Hack
100. Ethical Hacker Tools
101. Hacking Tools Download
102. Pentest Tools Apk
103. Pentest Tools Alternative
104. Pentest Tools Framework
105. Pentest Reporting Tools
106. Hacking Tools For Kali Linux
107. Hacker Tools 2020
108. Tools 4 Hack
109. Pentest Tools Subdomain
110. Hacker Tools For Windows
111. Hacking Tools And Software
112. New Hack Tools
113. Hacking Tools Windows 10
114. Pentest Recon Tools
115. Pentest Tools Download
116. Hacker Tools 2020
117. Nsa Hacker Tools
118. Hacking Tools Windows 10
119. Hacking Tools Download
120. Pentest Tools Bluekeep
121. Pentest Tools Download
122. Hacking Tools Online
123. Hack Tools Online
124. Hacker Hardware Tools
125. Pentest Tools Alternative
126. Pentest Tools Website
127. Hack Tools
128. Underground Hacker Sites
129. What Are Hacking Tools
130. How To Hack
131. Hacker Tools Windows
132. Hacking Tools 2019
133. Hacking Tools Download
134. Install Pentest Tools Ubuntu
135. Hacking Tools Hardware
136. Hacker Tools For Ios
137. Best Hacking Tools 2019
138. What Is Hacking Tools
139. Hacker Tools Apk
140. Hack And Tools
141. Hack Website Online Tool
142. How To Install Pentest Tools In Ubuntu
143. Hacker Tools Free
144. Hack Tool Apk
145. Hack Tools For Mac
146. Hack Tools For Windows
147. Pentest Tools For Android
148. Hack App
149. Beginner Hacker Tools
150. Nsa Hack Tools Download
151. Pentest Tools Nmap
152. What Is Hacking Tools
153. Hacker Tools Github
154. Hacker Tools Linux
155. Hacking Tools For Pc
156. Hacker Tools
157. Pentest Tools Alternative
158. Hack Tools Download
159. Hacker Tools
160. Pentest Tools Website Vulnerability
161. Hack And Tools
162. Pentest Automation Tools
163. Hack Tool Apk No Root
164. Hack Tools For Ubuntu
165. Hacking Tools Github
166. Hacking Tools For Games
167. Hacker Tools Linux
168. Hack Tools
169. How To Hack
170. Hacking Tools For Windows 7
171. Hacker Tool Kit
172. Termux Hacking Tools 2019
173. Pentest Tools For Windows
174. Top Pentest Tools
175. Hack Tools For Pc