Friday, August 28, 2020

CSRF Referer Header Strip

Intro

Most of the web applications I see are kinda binary when it comes to CSRF protection; either they have one implemented using CSRF tokens (and more-or-less covering the different functions of the web application) or there is no protection at all. Usually, it is the latter case. However, from time to time I see application checking the Referer HTTP header.

A couple months ago I had to deal with an application that was checking the Referer as a CSRF prevention mechanism, but when this header was stripped from the request, the CSRF PoC worked. BTW it is common practice to accept empty Referer, mainly to avoid breaking functionality.

The OWASP Cross-Site Request Forgery (CSRF) Prevention Cheat Sheet tells us that this defense approach is a baaad omen, but finding a universal and simple solution on the Internetz to strip the Referer header took somewhat more time than I expected, so I decided that the stuff that I found might be useful for others too.

Solutions for Referer header strip

Most of the techniques I have found were way too complicated for my taste. For example, when I start reading a blog post from Egor Homakov to find a solution to a problem, I know that I am going to:
  1. learn something very cool;
  2. have a serious headache from all the new info at the end.
This blog post from him is a bit lighter and covers some useful theoretical background, so make sure you read that first before you continue reading this post. He shows a few nice tricks to strip the Referer, but I was wondering; maybe there is an easier way?

Rich Lundeen (aka WebstersProdigy) made an excellent blog post on stripping the Referer header (again, make sure you read that one first before you continue). The HTTPS to HTTP trick is probably the most well-known one, general and easy enough, but it quickly fails the moment you have an application that only runs over HTTPS (this was my case).

The data method is not browser independent but the about:blank trick works well for some simple requests. Unfortunately, in my case the request I had to attack with CSRF was too complex and I wanted to use XMLHttpRequest. He mentions that in theory, there is anonymous flag for CORS, but he could not get it work. I also tried it, but... it did not work for me either.

Krzysztof Kotowicz also wrote a blog post on Referer strip, coming to similar conclusions as Rich Lundeen, mostly using the data method.

Finally, I bumped into Johannes Ullrich's ISC diary on Referer header and that led to me W3C's Referrer Policy. So just to make a dumb little PoC and show that relying on Referer is a not a good idea, you can simply use the "referrer" meta tag (yes, that is two "r"-s there).

The PoC would look something like this:
<html>
  <meta name="referrer" content="never">
  <body>
    <form action="https://vistimsite.com/function" method="POST">
      <input type="hidden" name="param1" value="1" />
      <input type="hidden" name="param2" value="2" />
      ...
    </form>
    <script>
      document.forms[0].submit();
    </script>
  </body>
</html>

Conclusion

As you can see, there is quite a lot of ways to strip the Referer HTTP header from the request, so it really should not be considered a good defense against CSRF. My preferred way to make is PoC is with the meta tag, but hey, if you got any better solution for this, use the comment field down there and let me know! :)

Continue reading
  1. Hacker Search Tools
  2. Pentest Tools Subdomain
  3. Nsa Hacker Tools
  4. Hacker Tools 2019
  5. Pentest Tools Online
  6. Hacking Apps
  7. Hack Rom Tools
  8. Pentest Tools List
  9. Hacker Tools 2020
  10. What Is Hacking Tools
  11. Pentest Tools For Mac
  12. Hacker Tools Github
  13. Physical Pentest Tools
  14. Usb Pentest Tools
  15. Pentest Tools For Android
  16. Hacker Tools Github
  17. Pentest Tools Url Fuzzer
  18. Pentest Tools Linux
  19. Hacking Tools For Windows Free Download
  20. Pentest Tools
  21. Beginner Hacker Tools
  22. Hacking Tools Software
  23. Pentest Tools Find Subdomains
  24. Ethical Hacker Tools
  25. Hacking Tools For Kali Linux
  26. Best Hacking Tools 2019
  27. Beginner Hacker Tools
  28. Hack Website Online Tool
  29. Hacking Tools For Mac
  30. Pentest Recon Tools
  31. Pentest Tools Apk
  32. Hack Tools 2019
  33. Hacking Tools Name
  34. Hacking Tools Windows 10
  35. Pentest Tools Apk
  36. Best Pentesting Tools 2018
  37. Pentest Tools For Windows
  38. Hacking Tools Usb
  39. Hacking Tools For Kali Linux
  40. Tools 4 Hack
  41. Top Pentest Tools
  42. Pentest Tools For Mac
  43. Hacking Tools
  44. Pentest Tools Subdomain
  45. Hacking Tools Hardware
  46. Usb Pentest Tools
  47. Hacking Tools For Mac
  48. Pentest Tools Review
  49. Pentest Tools Find Subdomains
  50. Hacker Tools Github
  51. Hacker Tools For Pc
  52. Hacking Tools For Mac
  53. Pentest Box Tools Download
  54. Hacking Tools Usb
  55. Black Hat Hacker Tools
  56. Underground Hacker Sites
  57. Hacking Tools Kit
  58. Hacking Tools Name
  59. Hacker Tools List
  60. Pentest Tools Android
  61. Hack Tools
  62. Hack And Tools
  63. Pentest Tools
  64. Hack Tool Apk
  65. Termux Hacking Tools 2019
  66. Hacking App
  67. Kik Hack Tools
  68. Pentest Tools Windows
  69. Android Hack Tools Github
  70. Bluetooth Hacking Tools Kali
  71. Free Pentest Tools For Windows
  72. Pentest Tools Windows
  73. Hacker Tools For Windows
  74. Hackrf Tools
  75. What Are Hacking Tools
  76. Hacker Search Tools
Posted by at

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)