Noteable Posts

Loading...

Saturday, August 22, 2020

CSRF Referer Header Strip

Intro

Most of the web applications I see are kinda binary when it comes to CSRF protection; either they have one implemented using CSRF tokens (and more-or-less covering the different functions of the web application) or there is no protection at all. Usually, it is the latter case. However, from time to time I see application checking the Referer HTTP header.

A couple months ago I had to deal with an application that was checking the Referer as a CSRF prevention mechanism, but when this header was stripped from the request, the CSRF PoC worked. BTW it is common practice to accept empty Referer, mainly to avoid breaking functionality.

The OWASP Cross-Site Request Forgery (CSRF) Prevention Cheat Sheet tells us that this defense approach is a baaad omen, but finding a universal and simple solution on the Internetz to strip the Referer header took somewhat more time than I expected, so I decided that the stuff that I found might be useful for others too.

Solutions for Referer header strip

Most of the techniques I have found were way too complicated for my taste. For example, when I start reading a blog post from Egor Homakov to find a solution to a problem, I know that I am going to:
  1. learn something very cool;
  2. have a serious headache from all the new info at the end.
This blog post from him is a bit lighter and covers some useful theoretical background, so make sure you read that first before you continue reading this post. He shows a few nice tricks to strip the Referer, but I was wondering; maybe there is an easier way?

Rich Lundeen (aka WebstersProdigy) made an excellent blog post on stripping the Referer header (again, make sure you read that one first before you continue). The HTTPS to HTTP trick is probably the most well-known one, general and easy enough, but it quickly fails the moment you have an application that only runs over HTTPS (this was my case).

The data method is not browser independent but the about:blank trick works well for some simple requests. Unfortunately, in my case the request I had to attack with CSRF was too complex and I wanted to use XMLHttpRequest. He mentions that in theory, there is anonymous flag for CORS, but he could not get it work. I also tried it, but... it did not work for me either.

Krzysztof Kotowicz also wrote a blog post on Referer strip, coming to similar conclusions as Rich Lundeen, mostly using the data method.

Finally, I bumped into Johannes Ullrich's ISC diary on Referer header and that led to me W3C's Referrer Policy. So just to make a dumb little PoC and show that relying on Referer is a not a good idea, you can simply use the "referrer" meta tag (yes, that is two "r"-s there).

The PoC would look something like this:
<html>
  <meta name="referrer" content="never">
  <body>
    <form action="https://vistimsite.com/function" method="POST">
      <input type="hidden" name="param1" value="1" />
      <input type="hidden" name="param2" value="2" />
      ...
    </form>
    <script>
      document.forms[0].submit();
    </script>
  </body>
</html>

Conclusion

As you can see, there is quite a lot of ways to strip the Referer HTTP header from the request, so it really should not be considered a good defense against CSRF. My preferred way to make is PoC is with the meta tag, but hey, if you got any better solution for this, use the comment field down there and let me know! :)

More articles


  1. Top Pentest Tools
  2. Hackrf Tools
  3. World No 1 Hacker Software
  4. Hack Tools
  5. Underground Hacker Sites
  6. Hack Tools
  7. Pentest Tools Kali Linux
  8. Pentest Reporting Tools
  9. Hack Tools
  10. Hacker Tools Mac
  11. Hacking Tools For Windows Free Download
  12. Pentest Reporting Tools
  13. Hack Tools For Games
  14. Hacker Techniques Tools And Incident Handling
  15. Hacking Tools For Beginners
  16. Hacker Tools For Windows
  17. Pentest Tools Apk
  18. How To Make Hacking Tools
  19. Hacking Tools Pc
  20. Easy Hack Tools
  21. Hacking Tools Mac
  22. Hacker Security Tools
  23. Pentest Tools Online
  24. Hacker Tools Windows
  25. Hacks And Tools
  26. Pentest Tools Website
  27. Pentest Tools For Windows
  28. Hack Tool Apk
  29. Hack Tools Github
  30. Pentest Tools For Mac
  31. Beginner Hacker Tools
  32. Hacking Tools For Windows
  33. Blackhat Hacker Tools
  34. Hacker Tools For Pc
  35. Pentest Tools Bluekeep
  36. World No 1 Hacker Software
  37. Pentest Tools Apk
  38. Hacker Tools
  39. Android Hack Tools Github
  40. Hack Tools For Mac
  41. Github Hacking Tools
  42. Hacking Tools Kit
  43. What Are Hacking Tools
  44. Hack Tools Github
  45. Top Pentest Tools
  46. Hack Website Online Tool
  47. Hack And Tools
  48. Pentest Tools Subdomain
  49. Hacker Search Tools
  50. Install Pentest Tools Ubuntu
  51. Hacking Tools 2019
  52. Hacking Tools Usb
  53. Hak5 Tools
  54. Best Pentesting Tools 2018
  55. Hacker Tools Online
  56. Hacking Tools For Mac
  57. Hacker Search Tools
  58. Github Hacking Tools
  59. Pentest Recon Tools
  60. Hacker Tool Kit
  61. Hacker Tools For Mac
  62. Hack Tool Apk No Root
  63. Pentest Automation Tools
  64. Hack Rom Tools
  65. Hacker Tools Windows
  66. Tools Used For Hacking
  67. Pentest Tools Alternative
  68. Nsa Hacker Tools
  69. Best Hacking Tools 2020
  70. Best Pentesting Tools 2018
  71. Pentest Tools For Mac
  72. Hacking Tools For Beginners
  73. Hacker Tools Free
  74. Easy Hack Tools
  75. Hack Tools Online
  76. Hacking Tools 2019
  77. Wifi Hacker Tools For Windows
  78. Hack Tools 2019
  79. Hacker Tools 2020
  80. Termux Hacking Tools 2019
  81. Hack Website Online Tool
  82. Hack Tools Mac
  83. Hack Tools Mac
  84. Pentest Tools Subdomain
  85. Blackhat Hacker Tools
  86. Pentest Tools Windows
  87. Android Hack Tools Github
  88. Pentest Tools Nmap
  89. Hack Tools Download
  90. Tools For Hacker
  91. Computer Hacker
  92. Pentest Tools Android
  93. Pentest Tools Website
  94. Pentest Tools For Android
  95. Hacking Tools Download
  96. Pentest Tools Download
  97. Hacks And Tools
  98. Hacking Tools 2020
  99. Usb Pentest Tools
  100. New Hacker Tools
  101. Easy Hack Tools
  102. Hack Tools 2019
  103. Hacker Tools 2020
  104. Top Pentest Tools
  105. Hacker Tools Free Download
  106. Hack Tools For Windows
  107. Tools Used For Hacking
  108. Hacker Tools Free
  109. Hacker Techniques Tools And Incident Handling
  110. Hacker Tool Kit
  111. Best Hacking Tools 2019
  112. Pentest Tools Free
  113. Game Hacking
  114. Growth Hacker Tools
  115. Pentest Reporting Tools
  116. How To Hack
  117. Hacker Tools
  118. Hacking Tools For Mac
  119. Easy Hack Tools
  120. Hacking Tools For Beginners
  121. Hacking Tools Pc
  122. Hacking Tools 2019
  123. Pentest Tools Download
  124. Pentest Tools Free
  125. Easy Hack Tools
  126. Hack Tools Mac
  127. Hacking Tools Pc
  128. New Hacker Tools
  129. Bluetooth Hacking Tools Kali
  130. Pentest Tools For Mac
  131. Best Pentesting Tools 2018
  132. How To Hack
  133. Hacker Tools For Ios
  134. Hacking Tools Download
  135. Pentest Tools Github
  136. Hacking Tools Usb
  137. Bluetooth Hacking Tools Kali
  138. Hacking Tools For Windows 7
  139. Hacker Techniques Tools And Incident Handling
  140. Hacker Search Tools
  141. Hacking Apps
  142. Hacker Tools Apk
  143. Android Hack Tools Github
  144. Pentest Tools Github
  145. What Are Hacking Tools
  146. Best Hacking Tools 2019
  147. Hacking Apps
  148. Hacker Tools Windows
  149. Hack And Tools
  150. Hack Tool Apk No Root
  151. Hacking Tools Kit
  152. Best Hacking Tools 2020

Posted by Shongshoptok at 8:00 PM

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)