I am learning pen testing on web applications. I found the vulnerability cross-domain referrer leakage very interesting. Can anybody please tell me how to check for this vulnerability on any web application?
Asked
Active
Viewed 4,255 times
1 Answers
3
Your browser will add the HTTP Referer header (which, in a sense, indicates the "originating" URL) to most resource requests originating from a web page (exceptions include loading HTTP content from an HTTPS website, and refreshes).
Thus, the simplest way to automate testing is to crawl/spider/monkey your web application and log all requests to other websites. Then collect all the HTTP Referers and see if there is any sensitive information being disclosed.
What you should be looking for is any sensitive data in the GET parameter of these referers (e.g. session IDs, account numbers etc.). This is a bad practice anywhere, and not just because it allows cross-domain referrer leakage, since this means that users browser histories and shared URLs are tied directly to their session/account. I've heard about this being reported generally for things like password reset (on edx and on Mozilla), where the URL allowed social media plugins to initiate "reset password", effectively giving their owners the ability to take over accounts.
Simply avoid having sensitive data in GET fields, perform all actions using POST, and use a good one-time-token for generating links to critical actions.
-
Thanks for detailed explanation Jedi but as i am a noob, i want to test for this vulnerability manually. I really don't understand where to look for the logs. How could an attacker exploit this vulnerability. – Webster Jul 13 '16 at 05:51
-
Let's take a scenario. Victim requested for the new password and then hi clicked on that link. Now if an attacker sends him a malicious link of his website say evil.com, now before resetting the password victim clicks on that evil.com link then Question 1. **What is this evil.com website or link actually consist or how it is configured** Question 2. **how attacker would get the session token of victim if this website is vulnerable of cross domain referrer leakage** I would appreciated if you give me detailed explanation of every entity of this scenario. – Webster Jul 13 '16 at 05:52
-
You can use spidering and http request logging plugins for Chrome/Firefox to start with (as well as dev tools - press `F12`). I'd suggest reading through the 3 links in the answer first. – Jedi Jul 13 '16 at 06:03
-
1In most cases, an attacker will normally not be an arbitrary person/website, but a third-party website whose resources you choose to use (normally social media / analytics plugins or a CDN) in your website. They may receive a Referer header when a request is made by the browser, and this may contain sensitive information. If an arbitrary attacker is able to make you forward traffic through to them, you have a larger problem: https://www.owasp.org/index.php/Unvalidated_Redirects_and_Forwards_Cheat_Sheet – Jedi Jul 13 '16 at 06:06