23 August 2020

CSRF Referer Header Strip

Intro

Most of the web applications I see are kinda binary when it comes to CSRF protection; either they have one implemented using CSRF tokens (and more-or-less covering the different functions of the web application) or there is no protection at all. Usually, it is the latter case. However, from time to time I see application checking the Referer HTTP header.

A couple months ago I had to deal with an application that was checking the Referer as a CSRF prevention mechanism, but when this header was stripped from the request, the CSRF PoC worked. BTW it is common practice to accept empty Referer, mainly to avoid breaking functionality.

The OWASP Cross-Site Request Forgery (CSRF) Prevention Cheat Sheet tells us that this defense approach is a baaad omen, but finding a universal and simple solution on the Internetz to strip the Referer header took somewhat more time than I expected, so I decided that the stuff that I found might be useful for others too.

Solutions for Referer header strip

Most of the techniques I have found were way too complicated for my taste. For example, when I start reading a blog post from Egor Homakov to find a solution to a problem, I know that I am going to:
  1. learn something very cool;
  2. have a serious headache from all the new info at the end.
This blog post from him is a bit lighter and covers some useful theoretical background, so make sure you read that first before you continue reading this post. He shows a few nice tricks to strip the Referer, but I was wondering; maybe there is an easier way?

Rich Lundeen (aka WebstersProdigy) made an excellent blog post on stripping the Referer header (again, make sure you read that one first before you continue). The HTTPS to HTTP trick is probably the most well-known one, general and easy enough, but it quickly fails the moment you have an application that only runs over HTTPS (this was my case).

The data method is not browser independent but the about:blank trick works well for some simple requests. Unfortunately, in my case the request I had to attack with CSRF was too complex and I wanted to use XMLHttpRequest. He mentions that in theory, there is anonymous flag for CORS, but he could not get it work. I also tried it, but... it did not work for me either.

Krzysztof Kotowicz also wrote a blog post on Referer strip, coming to similar conclusions as Rich Lundeen, mostly using the data method.

Finally, I bumped into Johannes Ullrich's ISC diary on Referer header and that led to me W3C's Referrer Policy. So just to make a dumb little PoC and show that relying on Referer is a not a good idea, you can simply use the "referrer" meta tag (yes, that is two "r"-s there).

The PoC would look something like this:
<html>
  <meta name="referrer" content="never">
  <body>
    <form action="https://vistimsite.com/function" method="POST">
      <input type="hidden" name="param1" value="1" />
      <input type="hidden" name="param2" value="2" />
      ...
    </form>
    <script>
      document.forms[0].submit();
    </script>
  </body>
</html>

Conclusion

As you can see, there is quite a lot of ways to strip the Referer HTTP header from the request, so it really should not be considered a good defense against CSRF. My preferred way to make is PoC is with the meta tag, but hey, if you got any better solution for this, use the comment field down there and let me know! :)

Related posts


  1. Hacking Tools 2020
  2. Hacker Techniques Tools And Incident Handling
  3. Tools Used For Hacking
  4. Hacker Tools Apk
  5. Hackers Toolbox
  6. Hack Tool Apk
  7. Easy Hack Tools
  8. Pentest Tools For Windows
  9. Best Hacking Tools 2020
  10. Tools 4 Hack
  11. Pentest Tools Port Scanner
  12. Usb Pentest Tools
  13. Game Hacking
  14. Hack Tools For Mac
  15. Hacker Tools 2020
  16. Best Hacking Tools 2020
  17. Nsa Hacker Tools
  18. Nsa Hack Tools
  19. Hacker Tools List
  20. Tools 4 Hack
  21. Hacker Tool Kit
  22. Hack Tool Apk
  23. Pentest Tools Review
  24. Pentest Tools Github
  25. Pentest Tools For Windows
  26. Hack Tools For Ubuntu
  27. Free Pentest Tools For Windows
  28. Hacker Tools Linux
  29. Hacking Tools Name
  30. Nsa Hack Tools
  31. Hack Tool Apk
  32. Pentest Tools Website
  33. Hack Tools Online
  34. Pentest Tools For Windows
  35. Hacker Tools
  36. Hacker Tools Free Download
  37. Growth Hacker Tools
  38. Hacker Tools Free Download
  39. Physical Pentest Tools
  40. Hacking Tools Hardware
  41. Pentest Tools For Android
  42. Hacker Tools Software
  43. Hacking Tools For Windows 7
  44. Easy Hack Tools
  45. Pentest Tools Windows
  46. Hack Tools Pc
  47. Pentest Tools Kali Linux
  48. Pentest Tools Android
  49. Hack Website Online Tool
  50. Best Pentesting Tools 2018
  51. Game Hacking
  52. Pentest Tools Download
  53. Pentest Tools Bluekeep
  54. Pentest Tools For Android
  55. Hacker Tools Apk Download
  56. Hacker Tools Github
  57. Pentest Tools Url Fuzzer
  58. Top Pentest Tools
  59. Pentest Tools Review
  60. Hacking Tools For Windows 7
  61. Hack And Tools
  62. Game Hacking
  63. Pentest Tools Nmap
  64. Pentest Tools For Android
  65. New Hack Tools
  66. Kik Hack Tools
  67. Hacker Tools 2020
  68. Hack Tools For Games
  69. Pentest Tools Tcp Port Scanner
  70. Pentest Tools Url Fuzzer
  71. Hacking Tools For Windows Free Download
  72. Hack App
  73. Hacking App
  74. Black Hat Hacker Tools
  75. Pentest Tools For Windows
  76. Best Pentesting Tools 2018
  77. Pentest Tools Windows
  78. Hack Tools Github
  79. Beginner Hacker Tools
  80. Hack Apps
  81. Pentest Tools Review
  82. Hacker
  83. Tools 4 Hack
  84. Best Pentesting Tools 2018
  85. Hack Tools Download
  86. Pentest Tools Find Subdomains
  87. Tools 4 Hack
  88. Hack Rom Tools
  89. Pentest Tools Apk
  90. Hacking Tools
  91. Hacker Techniques Tools And Incident Handling
  92. Hack Tools
  93. What Is Hacking Tools
  94. Pentest Box Tools Download
Posted by at

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)