Intro
Most of the web applications I see are kinda binary when it comes to CSRF protection; either they have one implemented using CSRF tokens (and more-or-less covering the different functions of the web application) or there is no protection at all. Usually, it is the latter case. However, from time to time I see application checking the Referer HTTP header.
A couple months ago I had to deal with an application that was checking the Referer as a CSRF prevention mechanism, but when this header was stripped from the request, the CSRF PoC worked. BTW it is common practice to accept empty Referer, mainly to avoid breaking functionality.
A couple months ago I had to deal with an application that was checking the Referer as a CSRF prevention mechanism, but when this header was stripped from the request, the CSRF PoC worked. BTW it is common practice to accept empty Referer, mainly to avoid breaking functionality.
The OWASP Cross-Site Request Forgery (CSRF) Prevention Cheat Sheet tells us that this defense approach is a baaad omen, but finding a universal and simple solution on the Internetz to strip the Referer header took somewhat more time than I expected, so I decided that the stuff that I found might be useful for others too.
Solutions for Referer header strip
Most of the techniques I have found were way too complicated for my taste. For example, when I start reading a blog post from Egor Homakov to find a solution to a problem, I know that I am going to:
Rich Lundeen (aka WebstersProdigy) made an excellent blog post on stripping the Referer header (again, make sure you read that one first before you continue). The HTTPS to HTTP trick is probably the most well-known one, general and easy enough, but it quickly fails the moment you have an application that only runs over HTTPS (this was my case).
The data method is not browser independent but the about:blank trick works well for some simple requests. Unfortunately, in my case the request I had to attack with CSRF was too complex and I wanted to use XMLHttpRequest. He mentions that in theory, there is anonymous flag for CORS, but he could not get it work. I also tried it, but... it did not work for me either.
Krzysztof Kotowicz also wrote a blog post on Referer strip, coming to similar conclusions as Rich Lundeen, mostly using the data method.
Finally, I bumped into Johannes Ullrich's ISC diary on Referer header and that led to me W3C's Referrer Policy. So just to make a dumb little PoC and show that relying on Referer is a not a good idea, you can simply use the "referrer" meta tag (yes, that is two "r"-s there).
The PoC would look something like this:
- learn something very cool;
- have a serious headache from all the new info at the end.
Rich Lundeen (aka WebstersProdigy) made an excellent blog post on stripping the Referer header (again, make sure you read that one first before you continue). The HTTPS to HTTP trick is probably the most well-known one, general and easy enough, but it quickly fails the moment you have an application that only runs over HTTPS (this was my case).
The data method is not browser independent but the about:blank trick works well for some simple requests. Unfortunately, in my case the request I had to attack with CSRF was too complex and I wanted to use XMLHttpRequest. He mentions that in theory, there is anonymous flag for CORS, but he could not get it work. I also tried it, but... it did not work for me either.
Krzysztof Kotowicz also wrote a blog post on Referer strip, coming to similar conclusions as Rich Lundeen, mostly using the data method.
Finally, I bumped into Johannes Ullrich's ISC diary on Referer header and that led to me W3C's Referrer Policy. So just to make a dumb little PoC and show that relying on Referer is a not a good idea, you can simply use the "referrer" meta tag (yes, that is two "r"-s there).
The PoC would look something like this:
<html>
<meta name="referrer" content="never">
<body>
<form action="https://vistimsite.com/function" method="POST">
<input type="hidden" name="param1" value="1" />
<input type="hidden" name="param2" value="2" />
...
</form>
<script>
document.forms[0].submit();
</script>
</body>
</html>
Conclusion
As you can see, there is quite a lot of ways to strip the Referer HTTP header from the request, so it really should not be considered a good defense against CSRF. My preferred way to make is PoC is with the meta tag, but hey, if you got any better solution for this, use the comment field down there and let me know! :)
Related articles
- Hacking Tools Kit
- Pentest Tools Github
- Hacking Tools For Windows 7
- Pentest Tools List
- Nsa Hack Tools
- Hacking Tools Hardware
- Android Hack Tools Github
- Hacking Tools For Kali Linux
- Pentest Tools Download
- Pentest Automation Tools
- Hacking Tools For Kali Linux
- Hacking Tools For Windows
- Pentest Tools
- Pentest Tools Online
- Hacking Tools For Pc
- Hacking Tools Free Download
- Blackhat Hacker Tools
- Hacker Tools Mac
- Hack Tool Apk
- Hack Tools 2019
- Hacking Tools
- Wifi Hacker Tools For Windows
- Pentest Tools Free
- Hacker
- Hacking Tools Mac
- Bluetooth Hacking Tools Kali
- Hacking Tools For Games
- Hacker Tools Mac
- Hacking Tools For Windows
- New Hack Tools
- Hacker Tools Apk
- Pentest Tools Website Vulnerability
- Hacker Search Tools
- Hacker Tools Hardware
- Pentest Tools Free
- Hacking Tools Pc
- Hacker Tools
- What Are Hacking Tools
- Tools 4 Hack
- Hacker Tools Free Download
- Hacking Tools For Mac
- Hacking Tools For Windows Free Download
- Pentest Tools Online
- Hack Tools
- Best Pentesting Tools 2018
- Pentest Tools Nmap
- Pentest Tools For Android
- Hack Tools Pc
- Hacking Tools Pc
- Tools Used For Hacking
- Pentest Tools Windows
- Tools For Hacker
- Best Hacking Tools 2019
- What Are Hacking Tools
- Pentest Tools Download
- Hacker Tools Mac
- Hacker Tools Software
- Hacking Tools And Software
- Pentest Tools Subdomain
- Hacking Tools Download
- Hacker Tools Hardware
- Pentest Tools
- Hacker Tools Free Download
- Hack Tools For Games
- Tools For Hacker
- Hacker Tools Online
- Game Hacking
- Black Hat Hacker Tools
- Hack Website Online Tool
- Tools For Hacker
- How To Install Pentest Tools In Ubuntu
- Hacking Tools For Kali Linux
- Hacker Tools Apk Download
- Pentest Tools Url Fuzzer
- Hack Tools Online
- Hacking Tools For Kali Linux
- Pentest Automation Tools
- Hacking Tools Name
- Blackhat Hacker Tools
- Hacker Tool Kit
- Hacker Search Tools
- Hacker Tools For Windows
- Hacker Tools Mac
- Nsa Hack Tools Download
- Github Hacking Tools
- Hacker Tools For Ios
- Bluetooth Hacking Tools Kali
- Hacker Hardware Tools
- Pentest Tools For Android
- Hacking Tools Usb
- Hacker Techniques Tools And Incident Handling
- Pentest Tools Linux
- Hack App
- Hacker Tools 2019
- Hacking Tools Mac
- How To Hack
- Hacker Tools For Mac
- Install Pentest Tools Ubuntu
- Pentest Tools For Android
- Hacking Tools For Mac
- How To Make Hacking Tools
- Hacking Tools And Software
- Bluetooth Hacking Tools Kali
- Hacking Tools 2020
- Hack Tool Apk
- Pentest Tools Alternative
- Best Pentesting Tools 2018
- Pentest Box Tools Download
- Pentest Tools For Mac
- Hack Tools For Ubuntu
- Hacker Tools Mac
- Hacking Tools For Windows 7
- Hack Tools Online
- Pentest Tools Online
- Hacker Tools For Windows
- Pentest Tools For Ubuntu
- Hackers Toolbox
- New Hack Tools
- Hacking Tools Kit
- How To Install Pentest Tools In Ubuntu
- Hacker Tools For Pc
- Game Hacking
- Black Hat Hacker Tools
- Pentest Tools Github
- Hacking Tools For Kali Linux
- Pentest Tools Alternative
- Nsa Hack Tools Download
- Pentest Tools For Ubuntu
- Hacks And Tools
- Hacker Tools Free Download
- Pentest Tools Linux
- Hacker Tools Linux
No hay comentarios:
Publicar un comentario