CSRF Referer Header Strip

Intro

Most of the web applications I see are kinda binary when it comes to CSRF protection; either they have one implemented using CSRF tokens (and more-or-less covering the different functions of the web application) or there is no protection at all. Usually, it is the latter case. However, from time to time I see application checking the Referer HTTP header.

A couple months ago I had to deal with an application that was checking the Referer as a CSRF prevention mechanism, but when this header was stripped from the request, the CSRF PoC worked. BTW it is common practice to accept empty Referer, mainly to avoid breaking functionality.

The OWASP Cross-Site Request Forgery (CSRF) Prevention Cheat Sheet tells us that this defense approach is a baaad omen, but finding a universal and simple solution on the Internetz to strip the Referer header took somewhat more time than I expected, so I decided that the stuff that I found might be useful for others too.

Solutions for Referer header strip

Most of the techniques I have found were way too complicated for my taste. For example, when I start reading a blog post from Egor Homakov to find a solution to a problem, I know that I am going to:

1. learn something very cool;
2. have a serious headache from all the new info at the end.

This blog post from him is a bit lighter and covers some useful theoretical background, so make sure you read that first before you continue reading this post. He shows a few nice tricks to strip the Referer, but I was wondering; maybe there is an easier way?

Rich Lundeen (aka WebstersProdigy) made an excellent blog post on stripping the Referer header (again, make sure you read that one first before you continue). The HTTPS to HTTP trick is probably the most well-known one, general and easy enough, but it quickly fails the moment you have an application that only runs over HTTPS (this was my case).

The data method is not browser independent but the about:blank trick works well for some simple requests. Unfortunately, in my case the request I had to attack with CSRF was too complex and I wanted to use XMLHttpRequest. He mentions that in theory, there is anonymous flag for CORS, but he could not get it work. I also tried it, but... it did not work for me either.

Krzysztof Kotowicz also wrote a blog post on Referer strip, coming to similar conclusions as Rich Lundeen, mostly using the data method.

Finally, I bumped into Johannes Ullrich's ISC diary on Referer header and that led to me W3C's Referrer Policy. So just to make a dumb little PoC and show that relying on Referer is a not a good idea, you can simply use the "referrer" meta tag (yes, that is two "r"-s there).

The PoC would look something like this:

<html>
  <meta name="referrer" content="never">
  <body>
    <form action="https://vistimsite.com/function" method="POST">
      <input type="hidden" name="param1" value="1" />
      <input type="hidden" name="param2" value="2" />
      ...
    </form>
    <script>
      document.forms[0].submit();
    </script>
  </body>
</html>

Conclusion

As you can see, there is quite a lot of ways to strip the Referer HTTP header from the request, so it really should not be considered a good defense against CSRF. My preferred way to make is PoC is with the meta tag, but hey, if you got any better solution for this, use the comment field down there and let me know! :)

More info

1. Hacking Tools Hardware
2. Hacker Tools Hardware
3. Nsa Hack Tools
4. Hack Rom Tools
5. Usb Pentest Tools
6. Hacking Tools 2020
7. Hacker Tools 2019
8. Hack Apps
9. Hacking Tools Hardware
10. Hack Rom Tools
11. How To Make Hacking Tools
12. Pentest Tools Subdomain
13. Hack Apps
14. Hacking Tools Usb
15. Hacking Tools Kit
16. Hack Tools Download
17. Pentest Tools Bluekeep
18. Hacker Tools Mac
19. Hack Tools Pc
20. Pentest Tools List
21. Bluetooth Hacking Tools Kali
22. Termux Hacking Tools 2019
23. Pentest Reporting Tools
24. Hacker Tools Hardware
25. Pentest Tools Bluekeep
26. Hacking Tools Mac
27. Hacker Tools For Ios
28. Pentest Tools Website
29. Pentest Tools For Windows
30. Nsa Hacker Tools
31. Pentest Recon Tools
32. Hack Tools
33. Hacking Tools For Beginners
34. Nsa Hack Tools Download
35. Hack Tools For Mac
36. Hacking Tools For Kali Linux
37. Black Hat Hacker Tools
38. Computer Hacker
39. Pentest Tools Alternative
40. Hacker Techniques Tools And Incident Handling
41. Top Pentest Tools
42. Pentest Recon Tools
43. Hacker Tools For Ios
44. Hacking Tools Name
45. Hack App
46. Hacker Hardware Tools
47. Hacker Tool Kit
48. Pentest Tools Nmap
49. Hacking App
50. Pentest Tools Open Source
51. Hack Tool Apk No Root
52. Physical Pentest Tools
53. Nsa Hack Tools
54. Pentest Tools Android
55. Hack Tools Pc
56. What Is Hacking Tools
57. Hacker Tools Hardware
58. Pentest Recon Tools
59. Free Pentest Tools For Windows
60. Game Hacking
61. Hacking Tools Windows
62. Hacker Tools Mac
63. Hacking Tools Windows 10
64. New Hacker Tools
65. Github Hacking Tools
66. Hacker Techniques Tools And Incident Handling
67. Pentest Tools For Windows
68. Hacking Tools For Windows
69. Pentest Tools For Mac
70. Hacker Tools
71. Hacking Tools For Windows
72. Pentest Tools Find Subdomains
73. Hacker Hardware Tools
74. Nsa Hacker Tools
75. Hacker Security Tools
76. Pentest Tools List
77. Hacking Tools Github
78. Hacking Tools Windows 10
79. Hacker Tools Linux
80. Hack Website Online Tool
81. Pentest Tools Free
82. Pentest Tools Tcp Port Scanner
83. Hacker Tools For Windows
84. Hacking Tools For Windows Free Download
85. Growth Hacker Tools
86. Wifi Hacker Tools For Windows
87. Hacking Tools 2020
88. Hacking Tools For Windows
89. Hacker Tools Github
90. Usb Pentest Tools
91. Hacking Tools For Windows
92. Pentest Tools List
93. New Hacker Tools
94. Hacking Tools Free Download
95. Hack And Tools
96. Best Pentesting Tools 2018
97. Hacking Tools Online
98. Hacking Tools For Kali Linux
99. Hacking Tools And Software