IT Security Stack Exchange
IT Security Stack Exchange

Questions tagged [referer]

Referer is the HTTP request header field that contains the address of the webpage from where the request for a web resource originated.

Referer tells the web server the address of web page from where the resource was requested. It is a misspelling of referrer but the incorrect spelling is used by most of the standards. Referers are generally logged by web applications for analytics. Referer is not present for HTTP requests where the link is entered manually in the browser or it was bookmarked. HTTP referer can be easily spoofed/blocked by the client.

44 questions
1
vote
2 answers

CSRF Origin and Referer Header just check host?

Note: This question is not the same as the linked possible duplicate. That question asks how checking the origin/referer header protects against CSRF. This questions is asking how to implement the specific details. I see a lot of places that to…
srchulo
  • 111
  • 5
1
vote
1 answer

Fake referer is affecting my google search results

Google search result of my wordpress site is different than original content. We have taken services of security expert and they have scanned the site and database but there is no modification in code and database. Neither they found any plugin…
Derek
  • 79
  • 1
  • 6
1
vote
3 answers

Encrypted cookie to prevent csrf attacks

For preventing CSRF attacks does creating an encrypted cookie with a nonce prevent a CSRF attack? In addition, to that checking the referrer against the target origin. I cannot change 1000s of pages to embed the token in each submit and I do not…
bdawg
  • 187
  • 12
0
votes
1 answer

Detect referer check on redirect

I have a section of my web site that I only want reachable from another portion of my web site. I know that referer spoofing is trivially easy. But, if all requests from an incorrect referrer are met with 303 redirects to an index page, is there any…
TBridges42
  • 223
  • 2
  • 10
0
votes
1 answer

What security exposure (if any) can result from lots of apparently odd referrers in server log

I see relatively many referrers such as the following (as reported by Webalizer) in a web server log. The server is located outside Russia and it's a small one. 8 3 http://tiandeural.ru/ 19 3 http://timetorest.biz/ 20 3 …
Drux
  • 371
  • 1
  • 2
  • 10
0
votes
1 answer

Lots of bot hits, referer seems to be the variable

I've recently (over the last 15 minutes) had quite a few hits from the same IP, it's in a country on our blacklist so they just up up on our "Access Denied" page, but I was just interested in what benefit a would be bot/attacker could gain from…
Jamie Taylor
  • 103
  • 3
0
votes
0 answers

Why famouse frameworks like django (And probably Rails) use both synchronizer pattern and Origin/Referer header checks for preventing CSRF attacks?

I see in the source code of Django that they do use both synchronizer token pattern and Origin/Referer header checks. I understand that if you are using the double-submit technique via cookie the following attack will work and you need to check for…
user14096467
  • 1
0
votes
0 answers

window.history.pushState as a solution to document.referer

the problem: Having URL parameters in a web page URL address to add functionality to a website (authenticate/authorize showing stuff in the UI, being used in further http requests on load, etc.) can pose a security risk because when an end-user…
user1709076
  • 149
  • 7
0
votes
0 answers

Unknown vulnerability name Referer header and Access-Control-Allow-Origin

When reviewing an application, I saw the "Access-Control-Allow-Origin" header as a response. When I modified the "Origin" header in the request, I got a 404, which was fine. So no CORS vulnerability. When I changed the domain in the "Referer"…
HereToLearn
  • 3
  • 2
0
votes
1 answer

How do applications which are integrated using a javascript client side sdk, secure their data or disallow spam?

Take an example of google maps. google maps provides a javascript client SDK, which means any web app running javascript can access the google maps sdk. You need to use an API_KEY so that google can rate limit your requests, and apply some quota on…
gaurav5430
  • 171
  • 9
0
votes
2 answers

Why is it not possible to spoof referer and origin header with XHR?

Technically speaking, it is possible to spoof both headers using an intercepting proxy but that's useless because we are doing it ourselves as an attacker. When we send an ajax request using JS from another domain with our spoofed referer and origin…
user12507230
  • 1
  • 1
  • 1
0
votes
0 answers

Is it a good idea from a security standpoint to disable Referer headers in the browser? What discomforts will you have to deal with?

So what kind of discomfort will you have to deal with? Will it break websites? Or is it just a win for privacy? You can disable the Referer headers in Firefox like this: Open Firefox and type “about:config” in the address bar and press “Enter“. …
Sir Muffington
  • 1,447
  • 2
  • 9
  • 22
0
votes
1 answer

Referer value reflected in location response?

I found a login form on a website that redirects you regardless if the insert credentials are correct or wrong (302 redirect). I noticed that the value of the header Referer: is sent to header Location: in response. So for example, if Referer is…
Dees Peeleey
  • 1
0
votes
0 answers

Origin CSRF check fails on page load

I'm trying to build a generic filter for many applications where the developer would specify what origins they want to accept requests from and my filter would do an origin check to prevent CSRF. However on page load, there's no origin header or…
winhowes
  • 349
  • 1
  • 13
1 2
3