I found a login form on a website that redirects you regardless if the insert credentials are correct or wrong (302 redirect). I noticed that the value of the header Referer: is sent to header Location: in response. So for example, if Referer is set to https://www.google.com you will be redirected to https://www.google.com. Is it possible to set an arbitrary Referer value via CSRF and redirect other users?
Asked
Active
Viewed 262 times
0
-
@SteffenUllrich, I'm asking if it's possible to set an arbitrary referer header value or add another referer header to the request. – Dees Peeleey Oct 09 '19 at 20:17
-
I believe the accepted answer on the linked question does in fact answer your question. – Mike Ounsworth Oct 09 '19 at 20:55
-
@MikeOunsworth, There's no referer restriction here. Every referer is accepted as valid redirect url. Does that mean that it's not possible? – Dees Peeleey Oct 09 '19 at 20:57
-
The accepted answer on the other question is: _"In my knowledge, referrer headers cannot be changed if there is no xss flaw. Ajax requests are also not allowed to change the referrer header"_. – Mike Ounsworth Oct 09 '19 at 21:07
1 Answers
1
Reference (borrowed from the answer to the linked question):
(emphasis mine)
Verifying origin with standard headers
This defense technique is specifically proposed in section 5.0 of Robust Defenses for Cross-Site Request Forgery. This paper proposes the first creation of the Origin header and its use as a CSRF defense mechanism.
There are two steps to this mitigation, both of which rely on examining an HTTP request header value.
Determining the origin the request is coming from (source origin). Can be done via Origin and/or referer header.
Determining the origin the request is going to (target origin).
At server side we verify if both of them match. If they do, we accept the request as legitimate (meaning it's the same origin request) and if they don't, we discard the request (meaning that the request originated from cross-domain). Reliability on these headers comes from the fact that they cannot be altered programmatically (using JavaScript in an XSS) as they fall under forbidden headers list (i.e., only browsers can set them).
Mike Ounsworth
- 57,707
- 21
- 150
- 207
-
So i guess it's not possible to set another referer header, am i right? – Dees Peeleey Oct 09 '19 at 21:47