Sunday, August 23, 2020

CSRF Referer Header Strip

Intro

Most of the web applications I see are kinda binary when it comes to CSRF protection; either they have one implemented using CSRF tokens (and more-or-less covering the different functions of the web application) or there is no protection at all. Usually, it is the latter case. However, from time to time I see application checking the Referer HTTP header.

A couple months ago I had to deal with an application that was checking the Referer as a CSRF prevention mechanism, but when this header was stripped from the request, the CSRF PoC worked. BTW it is common practice to accept empty Referer, mainly to avoid breaking functionality.

The OWASP Cross-Site Request Forgery (CSRF) Prevention Cheat Sheet tells us that this defense approach is a baaad omen, but finding a universal and simple solution on the Internetz to strip the Referer header took somewhat more time than I expected, so I decided that the stuff that I found might be useful for others too.

Solutions for Referer header strip

Most of the techniques I have found were way too complicated for my taste. For example, when I start reading a blog post from Egor Homakov to find a solution to a problem, I know that I am going to:
  1. learn something very cool;
  2. have a serious headache from all the new info at the end.
This blog post from him is a bit lighter and covers some useful theoretical background, so make sure you read that first before you continue reading this post. He shows a few nice tricks to strip the Referer, but I was wondering; maybe there is an easier way?

Rich Lundeen (aka WebstersProdigy) made an excellent blog post on stripping the Referer header (again, make sure you read that one first before you continue). The HTTPS to HTTP trick is probably the most well-known one, general and easy enough, but it quickly fails the moment you have an application that only runs over HTTPS (this was my case).

The data method is not browser independent but the about:blank trick works well for some simple requests. Unfortunately, in my case the request I had to attack with CSRF was too complex and I wanted to use XMLHttpRequest. He mentions that in theory, there is anonymous flag for CORS, but he could not get it work. I also tried it, but... it did not work for me either.

Krzysztof Kotowicz also wrote a blog post on Referer strip, coming to similar conclusions as Rich Lundeen, mostly using the data method.

Finally, I bumped into Johannes Ullrich's ISC diary on Referer header and that led to me W3C's Referrer Policy. So just to make a dumb little PoC and show that relying on Referer is a not a good idea, you can simply use the "referrer" meta tag (yes, that is two "r"-s there).

The PoC would look something like this:
<html>
  <meta name="referrer" content="never">
  <body>
    <form action="https://vistimsite.com/function" method="POST">
      <input type="hidden" name="param1" value="1" />
      <input type="hidden" name="param2" value="2" />
      ...
    </form>
    <script>
      document.forms[0].submit();
    </script>
  </body>
</html>

Conclusion

As you can see, there is quite a lot of ways to strip the Referer HTTP header from the request, so it really should not be considered a good defense against CSRF. My preferred way to make is PoC is with the meta tag, but hey, if you got any better solution for this, use the comment field down there and let me know! :)

Related word
  1. Pentest Tools For Android
  2. Pentest Tools List
  3. Hack Tools Pc
  4. Hacker Tools 2019
  5. Hacking Tools Pc
  6. Hacking Tools Windows
  7. Kik Hack Tools
  8. Hacker Search Tools
  9. Nsa Hacker Tools
  10. Hack App
  11. Hack Tool Apk
  12. Usb Pentest Tools
  13. New Hack Tools
  14. Pentest Tools Free
  15. Android Hack Tools Github
  16. Hack Tools
  17. Hacker Tools 2020
  18. Best Hacking Tools 2019
  19. Hack Rom Tools
  20. Tools 4 Hack
  21. Best Hacking Tools 2019
  22. Hacking Tools Windows 10
  23. Game Hacking
  24. Hacking Tools Windows
  25. Hacker Tools Windows
  26. Hacking Tools For Kali Linux
  27. Hacking Tools 2020
  28. Hack Tools Download
  29. Best Hacking Tools 2020
  30. Blackhat Hacker Tools
  31. Hack Tools Pc
  32. Hacking Tools For Kali Linux
  33. Hacking Tools 2020
  34. Hacker Hardware Tools
  35. Hacker Tools Online
  36. Hack Tools
  37. Growth Hacker Tools
  38. Hack Rom Tools
  39. How To Hack
  40. Ethical Hacker Tools
  41. Hacking Tools For Windows Free Download
  42. Best Hacking Tools 2020
  43. Hacker Tools For Mac
  44. Hacker Tools Free Download
  45. Hacking App
  46. Hacking Tools Kit
  47. Pentest Tools For Ubuntu
  48. Tools For Hacker
  49. Hacking Tools For Mac
  50. Hackrf Tools
  51. Hacker Techniques Tools And Incident Handling
  52. Hacking Tools For Games
  53. Hacker Tools Software
  54. Install Pentest Tools Ubuntu
  55. Pentest Tools Apk
  56. Pentest Tools Port Scanner
  57. Hacker Tools Github
  58. Ethical Hacker Tools
  59. Tools Used For Hacking
  60. Hack Tools
  61. Pentest Tools Download
  62. Hacker Tools Online
  63. Hacking Tools Software
  64. Hacker Hardware Tools
  65. Nsa Hack Tools
  66. Pentest Automation Tools
  67. Termux Hacking Tools 2019
  68. Pentest Tools Download
  69. Pentest Automation Tools
  70. Hacking Tools Windows 10
  71. Hacker Tools Free Download
  72. Pentest Tools For Ubuntu
  73. What Are Hacking Tools
  74. Pentest Tools Online
  75. Hacker Tools Apk
  76. Hack Tools Github
  77. Hacking Tools Windows 10
  78. Hack App
  79. Pentest Recon Tools
  80. Hacking Apps
  81. Pentest Tools Apk
  82. Pentest Automation Tools
  83. Black Hat Hacker Tools
  84. Hacking Tools Download
  85. Pentest Tools Subdomain
  86. Hackrf Tools
  87. Hacker Tools 2019
  88. Hack Tools Download
  89. Github Hacking Tools
  90. Hack Tools Github
  91. Pentest Tools Framework
  92. Pentest Tools Tcp Port Scanner
  93. Tools Used For Hacking
  94. Hacking Tools For Games
  95. Pentest Recon Tools
  96. Hacking Tools Name
  97. New Hacker Tools
  98. Github Hacking Tools
  99. Pentest Tools Framework
  100. Hacker
  101. Pentest Tools Find Subdomains
  102. Pentest Tools Github
  103. Hacker Tools Mac
  104. Tools Used For Hacking
  105. Hacker Tools For Windows
  106. Hacker Tools Apk Download
  107. Pentest Tools Url Fuzzer
  108. Hack Tool Apk No Root
  109. How To Make Hacking Tools
  110. Computer Hacker
  111. Pentest Tools For Mac
  112. Hacking Tools And Software
  113. Hack Tools For Windows
  114. Pentest Box Tools Download
  115. Hacking Tools Windows
  116. Hack Tools For Mac
  117. Pentest Tools Review
  118. Hack Rom Tools
  119. Tools Used For Hacking
  120. Hacking Tools For Windows
  121. Hacker Tools 2019
Posted by at

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)