Saturday, August 29, 2020

CSRF Referer Header Strip

Intro

Most of the web applications I see are kinda binary when it comes to CSRF protection; either they have one implemented using CSRF tokens (and more-or-less covering the different functions of the web application) or there is no protection at all. Usually, it is the latter case. However, from time to time I see application checking the Referer HTTP header.

A couple months ago I had to deal with an application that was checking the Referer as a CSRF prevention mechanism, but when this header was stripped from the request, the CSRF PoC worked. BTW it is common practice to accept empty Referer, mainly to avoid breaking functionality.

The OWASP Cross-Site Request Forgery (CSRF) Prevention Cheat Sheet tells us that this defense approach is a baaad omen, but finding a universal and simple solution on the Internetz to strip the Referer header took somewhat more time than I expected, so I decided that the stuff that I found might be useful for others too.

Solutions for Referer header strip

Most of the techniques I have found were way too complicated for my taste. For example, when I start reading a blog post from Egor Homakov to find a solution to a problem, I know that I am going to:
  1. learn something very cool;
  2. have a serious headache from all the new info at the end.
This blog post from him is a bit lighter and covers some useful theoretical background, so make sure you read that first before you continue reading this post. He shows a few nice tricks to strip the Referer, but I was wondering; maybe there is an easier way?

Rich Lundeen (aka WebstersProdigy) made an excellent blog post on stripping the Referer header (again, make sure you read that one first before you continue). The HTTPS to HTTP trick is probably the most well-known one, general and easy enough, but it quickly fails the moment you have an application that only runs over HTTPS (this was my case).

The data method is not browser independent but the about:blank trick works well for some simple requests. Unfortunately, in my case the request I had to attack with CSRF was too complex and I wanted to use XMLHttpRequest. He mentions that in theory, there is anonymous flag for CORS, but he could not get it work. I also tried it, but... it did not work for me either.

Krzysztof Kotowicz also wrote a blog post on Referer strip, coming to similar conclusions as Rich Lundeen, mostly using the data method.

Finally, I bumped into Johannes Ullrich's ISC diary on Referer header and that led to me W3C's Referrer Policy. So just to make a dumb little PoC and show that relying on Referer is a not a good idea, you can simply use the "referrer" meta tag (yes, that is two "r"-s there).

The PoC would look something like this:
<html>
  <meta name="referrer" content="never">
  <body>
    <form action="https://vistimsite.com/function" method="POST">
      <input type="hidden" name="param1" value="1" />
      <input type="hidden" name="param2" value="2" />
      ...
    </form>
    <script>
      document.forms[0].submit();
    </script>
  </body>
</html>

Conclusion

As you can see, there is quite a lot of ways to strip the Referer HTTP header from the request, so it really should not be considered a good defense against CSRF. My preferred way to make is PoC is with the meta tag, but hey, if you got any better solution for this, use the comment field down there and let me know! :)

More articles

  1. Pentest Tools Linux
  2. Hacking Tools
  3. Github Hacking Tools
  4. Hacking Tools Windows
  5. Hacking Tools Software
  6. Hacking Tools For Pc
  7. Pentest Tools Tcp Port Scanner
  8. Hacking Tools 2020
  9. Hackers Toolbox
  10. Pentest Tools Subdomain
  11. Pentest Reporting Tools
  12. How To Hack
  13. Hacker Tools Hardware
  14. Android Hack Tools Github
  15. Hack Tools
  16. Pentest Tools Url Fuzzer
  17. Pentest Tools
  18. Hacker Tools List
  19. Pentest Reporting Tools
  20. Pentest Tools Url Fuzzer
  21. Hak5 Tools
  22. Hack Tools For Mac
  23. Hack Website Online Tool
  24. Hacking Tools Kit
  25. Nsa Hack Tools
  26. Github Hacking Tools
  27. Easy Hack Tools
  28. Hacker Tools 2020
  29. Top Pentest Tools
  30. Hack Tool Apk
  31. Hack Tools For Ubuntu
  32. Free Pentest Tools For Windows
  33. Hacker Search Tools
  34. Pentest Tools Android
  35. Nsa Hacker Tools
  36. Bluetooth Hacking Tools Kali
  37. Ethical Hacker Tools
  38. Hack Tool Apk No Root
  39. Github Hacking Tools
  40. Pentest Tools For Ubuntu
  41. Pentest Tools Find Subdomains
  42. Tools 4 Hack
  43. Hacking Tools Download
  44. Pentest Tools
  45. Hacker Tools 2020
  46. Blackhat Hacker Tools
  47. Hacking Tools For Windows 7
  48. Hack Tools Mac
  49. How To Hack
  50. World No 1 Hacker Software
  51. Termux Hacking Tools 2019
  52. Tools 4 Hack
  53. Pentest Recon Tools
  54. Hack Rom Tools
  55. Hacking Tools 2019
  56. Pentest Box Tools Download
  57. Pentest Tools Download
  58. Hack Apps
  59. Physical Pentest Tools
  60. Pentest Tools Port Scanner
  61. Github Hacking Tools
  62. Hacking Tools Usb
  63. Hacker Tools Linux
  64. Hack Tools For Windows
  65. Pentest Tools Online
  66. Hacker Tools Apk
  67. Underground Hacker Sites
  68. Hack Tools Online
  69. Hack Tools For Windows
  70. Pentest Tools List
  71. Hack Tools 2019
  72. Pentest Recon Tools
  73. Hacking Tools For Mac
  74. How To Make Hacking Tools
  75. Hacking Tools Pc
  76. Hacking Tools Hardware
  77. Hak5 Tools
  78. Hacking Tools 2020
  79. Hacking Tools For Beginners
  80. Pentest Tools
  81. Hacker Tool Kit
  82. Hack And Tools
  83. Tools Used For Hacking
  84. Hacker Security Tools
  85. Hack Apps
  86. Black Hat Hacker Tools
  87. Hacking Tools Usb
  88. Hack Rom Tools
  89. Pentest Tools Port Scanner
  90. Install Pentest Tools Ubuntu
  91. What Is Hacking Tools
  92. Hacking Tools For Games
  93. Hacker Tools Mac
  94. Hacker Tools Free Download
  95. Pentest Tools List
  96. Hack Tools Download
  97. Hacker Tools Github
  98. Hacker Tools For Mac
  99. Nsa Hack Tools
  100. Pentest Automation Tools
  101. Hack Rom Tools
  102. Hacking Tools Kit
  103. Hacking Tools For Kali Linux
  104. Hacking Tools Download
  105. Top Pentest Tools
  106. Hacker Tools Windows
  107. How To Hack
  108. Hack Website Online Tool
  109. Hacking Tools For Windows 7
  110. Hack Rom Tools
  111. Hacker Techniques Tools And Incident Handling
  112. Nsa Hacker Tools
  113. Pentest Tools For Windows
  114. Usb Pentest Tools
  115. Best Hacking Tools 2020
  116. Pentest Reporting Tools
  117. Hacker Tools Hardware
  118. Ethical Hacker Tools
  119. Hacker Tools For Pc
  120. Hacker
  121. Hacks And Tools
  122. Hacker Techniques Tools And Incident Handling
  123. Hacker Tool Kit
  124. Android Hack Tools Github
  125. Termux Hacking Tools 2019
  126. Hacker Security Tools
  127. Hack Tools For Pc
  128. Hack Apps
  129. Best Pentesting Tools 2018
  130. Pentest Tools Windows
  131. Hacking Tools For Games
  132. Blackhat Hacker Tools
  133. Hacking Tools Free Download
  134. Hacker Tools List
  135. Hacking Tools Github
  136. World No 1 Hacker Software
  137. Pentest Tools For Android
  138. Blackhat Hacker Tools
  139. Growth Hacker Tools
  140. Hacker Tools For Windows
  141. Tools Used For Hacking
  142. Hack Tools Download
  143. Hacking Tools For Windows 7
  144. World No 1 Hacker Software
  145. Hacking Tools For Pc
  146. Hacking Tools Usb
  147. Pentest Tools For Android
  148. Pentest Tools Port Scanner
  149. Hack Tool Apk
  150. Hacking Tools Windows 10
  151. Hackers Toolbox
  152. Hacker Tools Apk
  153. Usb Pentest Tools
  154. New Hacker Tools
  155. Pentest Tools List
  156. Hacking Tools And Software
  157. Physical Pentest Tools
  158. Hacker Tools Github
  159. Hacking Tools Windows
  160. How To Hack
  161. Pentest Tools Nmap
Posted by at

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)