CSRF Referer Header Strip

Intro

Most of the web applications I see are kinda binary when it comes to CSRF protection; either they have one implemented using CSRF tokens (and more-or-less covering the different functions of the web application) or there is no protection at all. Usually, it is the latter case. However, from time to time I see application checking the Referer HTTP header.

A couple months ago I had to deal with an application that was checking the Referer as a CSRF prevention mechanism, but when this header was stripped from the request, the CSRF PoC worked. BTW it is common practice to accept empty Referer, mainly to avoid breaking functionality.

The OWASP Cross-Site Request Forgery (CSRF) Prevention Cheat Sheet tells us that this defense approach is a baaad omen, but finding a universal and simple solution on the Internetz to strip the Referer header took somewhat more time than I expected, so I decided that the stuff that I found might be useful for others too.

Solutions for Referer header strip

Most of the techniques I have found were way too complicated for my taste. For example, when I start reading a blog post from Egor Homakov to find a solution to a problem, I know that I am going to:

1. learn something very cool;
2. have a serious headache from all the new info at the end.

This blog post from him is a bit lighter and covers some useful theoretical background, so make sure you read that first before you continue reading this post. He shows a few nice tricks to strip the Referer, but I was wondering; maybe there is an easier way?

Rich Lundeen (aka WebstersProdigy) made an excellent blog post on stripping the Referer header (again, make sure you read that one first before you continue). The HTTPS to HTTP trick is probably the most well-known one, general and easy enough, but it quickly fails the moment you have an application that only runs over HTTPS (this was my case).

The data method is not browser independent but the about:blank trick works well for some simple requests. Unfortunately, in my case the request I had to attack with CSRF was too complex and I wanted to use XMLHttpRequest. He mentions that in theory, there is anonymous flag for CORS, but he could not get it work. I also tried it, but... it did not work for me either.

Krzysztof Kotowicz also wrote a blog post on Referer strip, coming to similar conclusions as Rich Lundeen, mostly using the data method.

Finally, I bumped into Johannes Ullrich's ISC diary on Referer header and that led to me W3C's Referrer Policy. So just to make a dumb little PoC and show that relying on Referer is a not a good idea, you can simply use the "referrer" meta tag (yes, that is two "r"-s there).

The PoC would look something like this:

<html>
  <meta name="referrer" content="never">
  <body>
    <form action="https://vistimsite.com/function" method="POST">
      <input type="hidden" name="param1" value="1" />
      <input type="hidden" name="param2" value="2" />
      ...
    </form>
    <script>
      document.forms[0].submit();
    </script>
  </body>
</html>

Conclusion

As you can see, there is quite a lot of ways to strip the Referer HTTP header from the request, so it really should not be considered a good defense against CSRF. My preferred way to make is PoC is with the meta tag, but hey, if you got any better solution for this, use the comment field down there and let me know! :)

Related articles

1. Android Hack Tools Github
2. Kik Hack Tools
3. Hack Tools Mac
4. Hack Tools For Games
5. Hack Tools
6. Pentest Recon Tools
7. Hacker Tools Windows
8. Tools Used For Hacking
9. Hack Tools 2019
10. Hacking Tools For Windows
11. Blackhat Hacker Tools
12. Pentest Tools Url Fuzzer
13. Hack Tools Pc
14. World No 1 Hacker Software
15. Termux Hacking Tools 2019
16. Pentest Tools For Android
17. Hacker Tools Apk Download
18. Hacker Tools Free
19. Pentest Tools Download
20. Pentest Tools Framework
21. Install Pentest Tools Ubuntu
22. Beginner Hacker Tools
23. Hacker Tools
24. Hacks And Tools
25. Hacking Tools For Pc
26. How To Hack
27. Nsa Hack Tools
28. Github Hacking Tools
29. Hacking Tools 2019
30. Pentest Tools For Mac
31. Hacker Tools Software
32. How To Install Pentest Tools In Ubuntu
33. Nsa Hack Tools
34. Pentest Tools Review
35. Hacking Tools For Kali Linux
36. Hacker Tools For Pc
37. What Are Hacking Tools
38. Hacker Tools Free
39. Physical Pentest Tools
40. Pentest Tools Android
41. Hacker Search Tools
42. Hack Tools Pc
43. Pentest Tools Download
44. Hack Tools For Windows
45. Hack Tools For Mac
46. Hacking App
47. Android Hack Tools Github
48. Pentest Tools Bluekeep
49. Pentest Tools For Windows
50. Hack Tools 2019
51. Hack Tools
52. Pentest Tools Alternative
53. How To Make Hacking Tools
54. Underground Hacker Sites
55. Hack Tools Online
56. Usb Pentest Tools
57. Hack Tools Github
58. Hack App
59. Pentest Tools Android
60. Wifi Hacker Tools For Windows
61. Pentest Tools Tcp Port Scanner
62. World No 1 Hacker Software
63. Computer Hacker
64. Nsa Hack Tools Download
65. World No 1 Hacker Software
66. Hack And Tools
67. Hak5 Tools
68. Hacker Search Tools
69. Hacker Tools Apk Download
70. Hacker Tools Software
71. Hacker Tools Apk Download
72. Beginner Hacker Tools
73. Pentest Tools For Ubuntu
74. Pentest Reporting Tools
75. Hacker Tools List
76. New Hacker Tools
77. Pentest Tools Alternative
78. Hack And Tools
79. Pentest Tools Android
80. Bluetooth Hacking Tools Kali
81. Hack Tool Apk No Root
82. Hacking Tools For Games
83. Nsa Hacker Tools
84. Pentest Tools Kali Linux
85. Nsa Hacker Tools
86. Nsa Hacker Tools
87. New Hack Tools
88. Pentest Tools Android
89. Hacking Tools Pc
90. Pentest Tools Alternative
91. World No 1 Hacker Software
92. Android Hack Tools Github
93. Game Hacking
94. Hacker Tools For Mac
95. Wifi Hacker Tools For Windows
96. Pentest Tools Linux
97. New Hack Tools
98. Ethical Hacker Tools
99. Pentest Tools Kali Linux
100. Hacker
101. Hacking Tools Github
102. Hacker Search Tools
103. How To Make Hacking Tools
104. Hacking Tools Free Download
105. Nsa Hack Tools Download
106. Hacking Tools And Software
107. Hack Tools Mac
108. Hack Tools Download
109. Hack Rom Tools
110. Nsa Hack Tools Download
111. Nsa Hack Tools Download
112. Hacker Tools Apk
113. Pentest Tools
114. Hack Tools For Ubuntu
115. Install Pentest Tools Ubuntu
116. Best Hacking Tools 2020
117. Pentest Tools Review
118. What Are Hacking Tools
119. Tools 4 Hack
120. Best Hacking Tools 2019
121. Hacker Tools 2020
122. Hacker Tools
123. Pentest Tools For Ubuntu
124. Hacking Tools Free Download
125. Hacking Tools For Windows
126. Hacking Tools 2019
127. Hackrf Tools
128. Hacking Tools Mac
129. Hack Tool Apk No Root
130. Hacking Tools Github
131. Hacker Tools Github
132. Hacking Tools Pc
133. Hacker Tool Kit
134. Pentest Automation Tools
135. Hacking Tools Online
136. Pentest Tools For Mac
137. Hacking App
138. Hack App
139. Hacker Tools Linux
140. Hacker Tools For Ios
141. Underground Hacker Sites
142. Hacking App
143. Hacking Tools For Windows
144. Nsa Hack Tools
145. Hacker Tools Mac
146. Termux Hacking Tools 2019
147. Physical Pentest Tools
148. Hack Tools Github
149. Pentest Tools Bluekeep
150. Pentest Tools Framework
151. Hacker Security Tools
152. Hack Tools
153. What Are Hacking Tools
154. Hacker Tools Free Download
155. Hacker
156. Computer Hacker
157. Pentest Tools Github
158. Pentest Box Tools Download
159. Pentest Automation Tools
160. Hacking Tools Pc
161. Nsa Hack Tools Download
162. Easy Hack Tools
163. Hacking Tools For Pc
164. Hack Tools Mac
165. Pentest Tools For Ubuntu
166. Hacking Tools Online
167. Pentest Tools Online
168. Hack Tools Mac
169. Hack Rom Tools
170. Ethical Hacker Tools
171. Pentest Tools Online