Sunday, August 30, 2020

CSRF Referer Header Strip

Intro

Most of the web applications I see are kinda binary when it comes to CSRF protection; either they have one implemented using CSRF tokens (and more-or-less covering the different functions of the web application) or there is no protection at all. Usually, it is the latter case. However, from time to time I see application checking the Referer HTTP header.

A couple months ago I had to deal with an application that was checking the Referer as a CSRF prevention mechanism, but when this header was stripped from the request, the CSRF PoC worked. BTW it is common practice to accept empty Referer, mainly to avoid breaking functionality.

The OWASP Cross-Site Request Forgery (CSRF) Prevention Cheat Sheet tells us that this defense approach is a baaad omen, but finding a universal and simple solution on the Internetz to strip the Referer header took somewhat more time than I expected, so I decided that the stuff that I found might be useful for others too.

Solutions for Referer header strip

Most of the techniques I have found were way too complicated for my taste. For example, when I start reading a blog post from Egor Homakov to find a solution to a problem, I know that I am going to:
  1. learn something very cool;
  2. have a serious headache from all the new info at the end.
This blog post from him is a bit lighter and covers some useful theoretical background, so make sure you read that first before you continue reading this post. He shows a few nice tricks to strip the Referer, but I was wondering; maybe there is an easier way?

Rich Lundeen (aka WebstersProdigy) made an excellent blog post on stripping the Referer header (again, make sure you read that one first before you continue). The HTTPS to HTTP trick is probably the most well-known one, general and easy enough, but it quickly fails the moment you have an application that only runs over HTTPS (this was my case).

The data method is not browser independent but the about:blank trick works well for some simple requests. Unfortunately, in my case the request I had to attack with CSRF was too complex and I wanted to use XMLHttpRequest. He mentions that in theory, there is anonymous flag for CORS, but he could not get it work. I also tried it, but... it did not work for me either.

Krzysztof Kotowicz also wrote a blog post on Referer strip, coming to similar conclusions as Rich Lundeen, mostly using the data method.

Finally, I bumped into Johannes Ullrich's ISC diary on Referer header and that led to me W3C's Referrer Policy. So just to make a dumb little PoC and show that relying on Referer is a not a good idea, you can simply use the "referrer" meta tag (yes, that is two "r"-s there).

The PoC would look something like this:
<html>
  <meta name="referrer" content="never">
  <body>
    <form action="https://vistimsite.com/function" method="POST">
      <input type="hidden" name="param1" value="1" />
      <input type="hidden" name="param2" value="2" />
      ...
    </form>
    <script>
      document.forms[0].submit();
    </script>
  </body>
</html>

Conclusion

As you can see, there is quite a lot of ways to strip the Referer HTTP header from the request, so it really should not be considered a good defense against CSRF. My preferred way to make is PoC is with the meta tag, but hey, if you got any better solution for this, use the comment field down there and let me know! :)

Related links

  1. Nsa Hack Tools
  2. Hackrf Tools
  3. Hacker Tools Online
  4. Hacking Tools Kit
  5. Pentest Tools Windows
  6. Pentest Tools For Mac
  7. Pentest Tools Tcp Port Scanner
  8. Hacking Tools Online
  9. Hacking Apps
  10. Pentest Tools Website Vulnerability
  11. Hack Tools 2019
  12. How To Install Pentest Tools In Ubuntu
  13. Hacker Tools Software
  14. Hack Website Online Tool
  15. Pentest Recon Tools
  16. Hack And Tools
  17. Hacking Tools Software
  18. Hacking Tools Usb
  19. Pentest Reporting Tools
  20. Hacking Tools Pc
  21. Pentest Tools Subdomain
  22. Pentest Tools Url Fuzzer
  23. Hacking Tools For Games
  24. Hacker Tool Kit
  25. Pentest Tools Android
  26. Top Pentest Tools
  27. Hacking Tools For Windows Free Download
  28. Hacker
  29. Hack Tools For Games
  30. Nsa Hack Tools
  31. Hacker Tools Free
  32. Hack Tools Download
  33. Hacker Tools Free
  34. Hacker
  35. How To Hack
  36. Pentest Tools Framework
  37. Hacker Tool Kit
  38. Pentest Tools Online
  39. Hackers Toolbox
  40. Hacking Tools For Mac
  41. Hacker Tools Free Download
  42. Kik Hack Tools
  43. Pentest Tools For Windows
  44. Usb Pentest Tools
  45. Hacker Tool Kit
  46. Hacker Tools Github
  47. Hackrf Tools
  48. Beginner Hacker Tools
  49. Hacker Security Tools
  50. Hacking Tools For Mac
  51. Hacking Tools Hardware
  52. Pentest Tools Alternative
  53. What Is Hacking Tools
  54. Hack Tools
  55. Hacking Tools Usb
  56. Pentest Tools Port Scanner
  57. Hak5 Tools
  58. Pentest Tools For Ubuntu
  59. Pentest Tools Url Fuzzer
  60. Pentest Tools For Windows
  61. Pentest Tools For Windows
  62. Pentest Tools Bluekeep
  63. Hacker Tools For Mac
  64. Pentest Tools Download
  65. Hacker Tools For Ios
  66. Pentest Tools Bluekeep
  67. Pentest Tools Github
  68. Hacker Tools Apk
  69. Hacking Tools Pc
  70. Hacker Tool Kit
  71. Hacker Tools Hardware
  72. Pentest Tools Kali Linux
  73. Pentest Tools Website Vulnerability
  74. Hacking Tools Github
  75. Pentest Tools Free
  76. Pentest Box Tools Download
  77. Hak5 Tools
  78. How To Install Pentest Tools In Ubuntu
  79. New Hack Tools
  80. Hacker Tools Free Download
  81. Pentest Tools Free
  82. Hacking Tools Pc
  83. Hacker Tools 2020
  84. Hacking Tools Pc
  85. Hacking Tools Usb
  86. Computer Hacker
  87. Hacker Tools Linux
  88. Nsa Hack Tools
  89. Beginner Hacker Tools
  90. Hacking Tools Windows
  91. Hacker
  92. Hacking Tools For Games
  93. Bluetooth Hacking Tools Kali
  94. Hack Tools 2019
  95. Hacker Tools Windows
  96. Hack Tools For Pc
  97. Hacking Tools Kit
  98. Pentest Tools Apk
  99. Pentest Tools Kali Linux
  100. Underground Hacker Sites
  101. Nsa Hack Tools Download
  102. Hack Tools For Ubuntu
  103. Pentest Reporting Tools
  104. Hacker Tools For Mac
  105. Hacker Tools Hardware
  106. Hack Rom Tools
  107. Pentest Recon Tools
  108. Pentest Tools For Ubuntu
  109. Hacking Tools Github
  110. Hacking Tools Windows 10
  111. Pentest Tools Nmap
  112. Hack Tool Apk No Root
  113. Hacker Tools Mac
  114. Hacker Techniques Tools And Incident Handling
  115. Hack Tools For Windows
  116. Hak5 Tools
  117. Kik Hack Tools
  118. Hack Tools Online
  119. Hak5 Tools
  120. Hack Tools For Windows
  121. Hacker Tools 2020
  122. Hacker Tools Mac
  123. Hak5 Tools
  124. Hacks And Tools
  125. Pentest Tools Nmap
  126. Hacking Tools For Pc
  127. Hacking Tools For Windows Free Download
  128. Pentest Tools
  129. Hack And Tools
  130. Hackrf Tools
  131. Hack Tools For Games
  132. Android Hack Tools Github
  133. Easy Hack Tools
  134. Hacks And Tools
  135. Pentest Tools Online
  136. Hacking Tools Kit
  137. Pentest Tools Github
  138. Hak5 Tools
  139. Hacking Tools Mac
  140. Hacking Tools 2019
  141. Hacking Tools For Games
Posted by at

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)