Lilypie 1st Birthday Ticker

Saturday, August 29, 2020

CSRF Referer Header Strip

Intro

Most of the web applications I see are kinda binary when it comes to CSRF protection; either they have one implemented using CSRF tokens (and more-or-less covering the different functions of the web application) or there is no protection at all. Usually, it is the latter case. However, from time to time I see application checking the Referer HTTP header.

A couple months ago I had to deal with an application that was checking the Referer as a CSRF prevention mechanism, but when this header was stripped from the request, the CSRF PoC worked. BTW it is common practice to accept empty Referer, mainly to avoid breaking functionality.

The OWASP Cross-Site Request Forgery (CSRF) Prevention Cheat Sheet tells us that this defense approach is a baaad omen, but finding a universal and simple solution on the Internetz to strip the Referer header took somewhat more time than I expected, so I decided that the stuff that I found might be useful for others too.

Solutions for Referer header strip

Most of the techniques I have found were way too complicated for my taste. For example, when I start reading a blog post from Egor Homakov to find a solution to a problem, I know that I am going to:
  1. learn something very cool;
  2. have a serious headache from all the new info at the end.
This blog post from him is a bit lighter and covers some useful theoretical background, so make sure you read that first before you continue reading this post. He shows a few nice tricks to strip the Referer, but I was wondering; maybe there is an easier way?

Rich Lundeen (aka WebstersProdigy) made an excellent blog post on stripping the Referer header (again, make sure you read that one first before you continue). The HTTPS to HTTP trick is probably the most well-known one, general and easy enough, but it quickly fails the moment you have an application that only runs over HTTPS (this was my case).

The data method is not browser independent but the about:blank trick works well for some simple requests. Unfortunately, in my case the request I had to attack with CSRF was too complex and I wanted to use XMLHttpRequest. He mentions that in theory, there is anonymous flag for CORS, but he could not get it work. I also tried it, but... it did not work for me either.

Krzysztof Kotowicz also wrote a blog post on Referer strip, coming to similar conclusions as Rich Lundeen, mostly using the data method.

Finally, I bumped into Johannes Ullrich's ISC diary on Referer header and that led to me W3C's Referrer Policy. So just to make a dumb little PoC and show that relying on Referer is a not a good idea, you can simply use the "referrer" meta tag (yes, that is two "r"-s there).

The PoC would look something like this:
<html>
  <meta name="referrer" content="never">
  <body>
    <form action="https://vistimsite.com/function" method="POST">
      <input type="hidden" name="param1" value="1" />
      <input type="hidden" name="param2" value="2" />
      ...
    </form>
    <script>
      document.forms[0].submit();
    </script>
  </body>
</html>

Conclusion

As you can see, there is quite a lot of ways to strip the Referer HTTP header from the request, so it really should not be considered a good defense against CSRF. My preferred way to make is PoC is with the meta tag, but hey, if you got any better solution for this, use the comment field down there and let me know! :)

Related posts
  1. Pentest Tools Online
  2. Hacker Techniques Tools And Incident Handling
  3. Hacking Tools Name
  4. Pentest Tools Apk
  5. Hack Apps
  6. Hacking Tools For Kali Linux
  7. Hacker Tools For Pc
  8. Pentest Tools Subdomain
  9. Beginner Hacker Tools
  10. Hackrf Tools
  11. Pentest Tools Website
  12. Kik Hack Tools
  13. New Hack Tools
  14. Free Pentest Tools For Windows
  15. Hacking App
  16. Github Hacking Tools
  17. Hacking App
  18. Hacking Tools For Beginners
  19. Physical Pentest Tools
  20. Hacking Tools Software
  21. Hack App
  22. Hacker Tools Windows
  23. Hacking Tools For Pc
  24. Pentest Tools Nmap
  25. Hacking Tools Download
  26. World No 1 Hacker Software
  27. Hacker
  28. Pentest Tools Find Subdomains
  29. Pentest Automation Tools
  30. Hacking Tools For Windows
  31. Pentest Tools Kali Linux
  32. Hacker Tools Mac
  33. Hack Tools Github
  34. Game Hacking
  35. Pentest Tools Alternative
  36. Hacker Hardware Tools
  37. Hack Tool Apk No Root
  38. Best Hacking Tools 2019
  39. Hacker Tools Mac
  40. Hack Tools For Ubuntu
  41. Hacker Tools Github
  42. Pentest Reporting Tools
  43. Hacking Tools 2019
  44. Pentest Tools For Android
  45. Tools For Hacker
  46. Github Hacking Tools
  47. Kik Hack Tools
  48. How To Hack
  49. Hack Tools For Ubuntu
  50. Install Pentest Tools Ubuntu
  51. Hack Tools
  52. Pentest Tools Port Scanner
  53. Hacking Tools Free Download
  54. Hacking Tools Name
  55. Hack Tools For Windows
  56. Hacker Tools Apk
  57. Pentest Tools Url Fuzzer
  58. Hacker Tools List
  59. Bluetooth Hacking Tools Kali
  60. Underground Hacker Sites
  61. Pentest Tools Windows
  62. Hacker Tools Windows
  63. Hacker Tools
  64. Pentest Tools Apk
  65. Hacker Tools Linux
  66. Hack Rom Tools
  67. Hacking Tools Pc
  68. Hacking Tools Software
  69. New Hack Tools
  70. Hacker Tools For Mac
  71. Hacker Tools Software
  72. Hacker Search Tools
  73. Free Pentest Tools For Windows
  74. Pentest Tools List
  75. Install Pentest Tools Ubuntu
  76. Hacking Tools Windows 10
  77. Hacker Tools
  78. Pentest Reporting Tools
  79. Pentest Automation Tools
  80. Hack Tools 2019
  81. Hacking Tools For Beginners
  82. Hacker Tools For Mac
  83. Hacking Tools For Windows 7
  84. Top Pentest Tools
  85. Pentest Recon Tools
  86. Hack Tools Github
Posted by at

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)