Wednesday, August 26, 2020

CSRF Referer Header Strip

Intro

Most of the web applications I see are kinda binary when it comes to CSRF protection; either they have one implemented using CSRF tokens (and more-or-less covering the different functions of the web application) or there is no protection at all. Usually, it is the latter case. However, from time to time I see application checking the Referer HTTP header.

A couple months ago I had to deal with an application that was checking the Referer as a CSRF prevention mechanism, but when this header was stripped from the request, the CSRF PoC worked. BTW it is common practice to accept empty Referer, mainly to avoid breaking functionality.

The OWASP Cross-Site Request Forgery (CSRF) Prevention Cheat Sheet tells us that this defense approach is a baaad omen, but finding a universal and simple solution on the Internetz to strip the Referer header took somewhat more time than I expected, so I decided that the stuff that I found might be useful for others too.

Solutions for Referer header strip

Most of the techniques I have found were way too complicated for my taste. For example, when I start reading a blog post from Egor Homakov to find a solution to a problem, I know that I am going to:
  1. learn something very cool;
  2. have a serious headache from all the new info at the end.
This blog post from him is a bit lighter and covers some useful theoretical background, so make sure you read that first before you continue reading this post. He shows a few nice tricks to strip the Referer, but I was wondering; maybe there is an easier way?

Rich Lundeen (aka WebstersProdigy) made an excellent blog post on stripping the Referer header (again, make sure you read that one first before you continue). The HTTPS to HTTP trick is probably the most well-known one, general and easy enough, but it quickly fails the moment you have an application that only runs over HTTPS (this was my case).

The data method is not browser independent but the about:blank trick works well for some simple requests. Unfortunately, in my case the request I had to attack with CSRF was too complex and I wanted to use XMLHttpRequest. He mentions that in theory, there is anonymous flag for CORS, but he could not get it work. I also tried it, but... it did not work for me either.

Krzysztof Kotowicz also wrote a blog post on Referer strip, coming to similar conclusions as Rich Lundeen, mostly using the data method.

Finally, I bumped into Johannes Ullrich's ISC diary on Referer header and that led to me W3C's Referrer Policy. So just to make a dumb little PoC and show that relying on Referer is a not a good idea, you can simply use the "referrer" meta tag (yes, that is two "r"-s there).

The PoC would look something like this:
<html>
  <meta name="referrer" content="never">
  <body>
    <form action="https://vistimsite.com/function" method="POST">
      <input type="hidden" name="param1" value="1" />
      <input type="hidden" name="param2" value="2" />
      ...
    </form>
    <script>
      document.forms[0].submit();
    </script>
  </body>
</html>

Conclusion

As you can see, there is quite a lot of ways to strip the Referer HTTP header from the request, so it really should not be considered a good defense against CSRF. My preferred way to make is PoC is with the meta tag, but hey, if you got any better solution for this, use the comment field down there and let me know! :)

Related articles

  1. Pentest Tools Review
  2. Hacking Tools Windows 10
  3. Hack Rom Tools
  4. Growth Hacker Tools
  5. Hacking Tools Usb
  6. Hacking Tools
  7. Pentest Tools Subdomain
  8. Pentest Tools For Ubuntu
  9. Pentest Tools For Android
  10. Hacking Tools For Beginners
  11. Hacker Tools Online
  12. Hack Tools For Pc
  13. Hacking Tools Kit
  14. Pentest Tools Linux
  15. Pentest Tools Tcp Port Scanner
  16. Hack Tools Mac
  17. Hak5 Tools
  18. Pentest Tools Free
  19. Nsa Hacker Tools
  20. Hacking Tools 2019
  21. Hacking Tools Hardware
  22. Hacking Tools Software
  23. New Hacker Tools
  24. Pentest Reporting Tools
  25. Pentest Tools Subdomain
  26. Hacker Tools Mac
  27. Usb Pentest Tools
  28. How To Hack
  29. Computer Hacker
  30. Hack Tools For Games
  31. Pentest Tools For Ubuntu
  32. Hacking Tools
  33. Game Hacking
  34. Hack Tools For Windows
  35. Best Hacking Tools 2020
  36. What Are Hacking Tools
  37. Android Hack Tools Github
  38. Hackers Toolbox
  39. Hacking Tools Name
  40. Hack App
  41. Pentest Tools For Android
  42. Pentest Tools Tcp Port Scanner
  43. Hack Tool Apk No Root
  44. New Hacker Tools
  45. Black Hat Hacker Tools
  46. Hack Tools
  47. Pentest Tools Kali Linux
  48. Pentest Tools Alternative
  49. Pentest Box Tools Download
  50. Hacker Tools Mac
  51. Pentest Tools For Android
  52. New Hacker Tools
  53. Hack Tools Mac
  54. Usb Pentest Tools
  55. Hacks And Tools
  56. Hacker Tools
  57. Hacking Tools For Beginners
  58. How To Install Pentest Tools In Ubuntu
  59. Hack Tools Pc
  60. Android Hack Tools Github
  61. Hack Tools Github
  62. Pentest Tools For Windows
  63. Pentest Tools Kali Linux
  64. Pentest Tools For Mac
  65. Hacker Tools Hardware
  66. Pentest Box Tools Download
  67. Hack Tool Apk No Root
  68. Hacking Tools For Windows
  69. Pentest Tools Alternative
  70. Hacker Tool Kit
  71. Hack Tools For Windows
  72. Best Pentesting Tools 2018
  73. Pentest Tools Find Subdomains
  74. Hacker Tools For Windows
  75. What Is Hacking Tools
  76. Hacking Tools Mac
  77. Hacking Tools Online
  78. How To Make Hacking Tools
  79. Hacking Tools Pc
  80. Hacking Tools Windows 10
  81. Hack Tools Github
  82. What Are Hacking Tools
  83. Hacker Tools For Mac
  84. Hacker Hardware Tools
  85. Hacking Tools For Beginners
  86. What Are Hacking Tools
  87. Hacking App
  88. Pentest Tools Download
  89. Hak5 Tools
  90. Hack Tools Mac
  91. Pentest Tools Website Vulnerability
  92. Nsa Hack Tools
  93. Hack And Tools
  94. Hack Tools For Mac
  95. Hacking App
  96. Free Pentest Tools For Windows
  97. Hacking Tools Pc
  98. Hackers Toolbox
  99. Hacker Tools Software
  100. Hacker Tools Free
  101. Hackrf Tools
  102. Hacker Tools Free
  103. Hack Tools Mac
  104. Hacking Tools Pc
  105. Hack Rom Tools
  106. Hacker Tools Software
  107. Hacking Tools Software
  108. Kik Hack Tools
  109. Hacker
  110. Pentest Tools Apk
  111. Hacking Tools Hardware
  112. Pentest Tools Subdomain
  113. Pentest Tools Website
  114. Pentest Tools Website Vulnerability
  115. Hacking Tools Pc
  116. Computer Hacker
  117. Hack Tools Mac
Posted by at

No comments:

Post a Comment

Note: Only a member of this blog may post a comment.

Subscribe to: Post Comments (Atom)