Questions tagged [referer]

Referer is the HTTP request header field that contains the address of the webpage from where the request for a web resource originated.

Referer tells the web server the address of web page from where the resource was requested. It is a misspelling of referrer but the incorrect spelling is used by most of the standards. Referers are generally logged by web applications for analytics. Referer is not present for HTTP requests where the link is entered manually in the browser or it was bookmarked. HTTP referer can be easily spoofed/blocked by the client.

44 questions
9
votes
4 answers

Does referrer header checking offer any real world security improvement?

At work we use a central portal that provides basic SSO functionality to other applications. In addition to verifying the SSO data sent, all of our existing in-house applications (used by the public) also check the referrer header to make sure that…
Harry Muscle
  • 283
  • 1
  • 3
  • 6
9
votes
2 answers

How does sending referrer HTTP headers protect against CSRF attacks?

How does sending referrer HTTP headers protect against CSRF attacks? I tried logging into an HTTPS site with Firefox's network.http.sendRefererHeader set to 0 (i.e., completely disabled, as a measure against tracking), and it said: Forbidden…
Geremia
  • 1,636
  • 3
  • 19
  • 33
7
votes
3 answers

How to avoid referer information leakage during password reset

Most password reset systems involve emailing the user a one-time link that lets them reset their password. The token needs to be in the URL, as most email clients do not allow HTML emails to perform POST requests, and asking the user to retype the…
paj28
  • 32,736
  • 8
  • 92
  • 130
7
votes
3 answers

What are the risk implications of not verifying referer header on login form?

Imagine a generic web application with a login form to access the application. Regardless of how the actual authentication is performed, what are the implications of not checking the referer header to verify the submit request is coming from within…
Steve
  • 15,155
  • 3
  • 37
  • 66
7
votes
1 answer

Is displaying a non-encoded HTTP Referer header vulnerable to XSS?

Consider the following PHP script (it could be any other language; I chose PHP for simplicity): Is it vulnerable to XSS? Of course I can send a request to the script using curl and set referer to something…
5
votes
4 answers

What risks are introduced by the browser passing the "referer" to the next site visited from a link to another domain?

As of today, I believe every major browser will by default reveal to a third-party site which site I came from, and more specifically, the exact URL I came from. What are the privacy implications of the "Referer" being shared, and is this a…
RomanSt
  • 1,180
  • 9
  • 25
5
votes
3 answers

Is it unsafe to redirect to the referer URL?

Is it a problem when URLs in a web application redirect to the URL specified in the Referer header? It's not an open redirect like any of the /whatever?url=evil.com examples I've seen, that can be exploited by having users click on a link to the…
mwl
  • 51
  • 1
  • 3
5
votes
1 answer

How to check for cross-domain referrer leakage?

I am learning pen testing on web applications. I found the vulnerability cross-domain referrer leakage very interesting. Can anybody please tell me how to check for this vulnerability on any web application?
Webster
  • 51
  • 1
  • 3
5
votes
2 answers

Is there any effective server-side prevention technique against PHP-aided CSRF?

I'm gonna start by saying it: I'm merely a cybersecurity enthusiast, not an expert. Thus, I'm gonna state what I think I know so far, please feel free to correct me at any time. Through my readings, I've come to learn about: The existence of CSRF…
MadWard
  • 233
  • 2
  • 11
4
votes
3 answers

How to implement password reset functionality without becoming susceptible to cross-domain referer leakage?

I have typically implemented password reset functionality by sending a link that included something like this: http://example.com/pwreset?id=userId&resetToken=superSecretResetToken On my pwreset page I will typically request a few resources from…
Abe Miessler
  • 8,155
  • 10
  • 44
  • 72
4
votes
2 answers

Opening a saved web page: Is referer file:// sent?

https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Referer A Referer header is not sent by browsers if the referring resource is a local "file" or "data" URI. Is this true for all major, modern browsers (Safari, Chrome, Firefox,…
forthrin
  • 1,741
  • 1
  • 13
  • 21
4
votes
1 answer

How to forge Referer Header in GET method triggered on HTML

I'm looking through the CSRF vulnerabilities of the DVWA. I run into the medium level which uses this piece of code to validate if the referer header equals the server name: if( eregi( $_SERVER[ 'SERVER_NAME' ], $_SERVER[ 'HTTP_REFERER' ] ) ). If…
fish202
  • 119
  • 3
  • 7
4
votes
0 answers

Security risks with iframe widget for different tools

We are building user profiles which can be embedded in client's websites. We are embedding those as iframe in client's web with user's id as parameter to iframe URL. We have authentication token to allow access to the profile.With this approach the…
Ruchit Rami
  • 141
  • 1
3
votes
1 answer

Protect against clickjacking but allow framing on domain?

I'd like to protect against clickjacking using the X-Frame-Options header, but we occasionally frame secure content on the insecure version of our site1: Since it looks like only Firefox currently supports the ALLOW-FROM form of the header, I'm…
s4y
  • 131
  • 1
  • 5
3
votes
1 answer

using rel="noreferer" without rel="noopener" or without target="_blank"

I have been reading about the security and performance implications of rel="noopener" and rel="noreferrer" in links with target="_blank". These are some of the observations: if you open a link in a new tab from your app, by default it would have…
gaurav5430
  • 171
  • 9
1
2 3