[WEB SECURITY] client-side referer spoofing

Arian J. Evans arian.evans at anachronic.com
Wed Jun 23 16:20:57 EDT 2010


I think the original poster is asking:

"How do you spoof/forge the Referer field when performing a client-side
attack like XSS or HTTP/RS or CSRF?"

Their question makes sense if you read it that way. Obviously we all know if
you can craft the raw HTTP request you can put whatever you like anywhere in
it, including arbitrary HTTP Header injection/manipulation.

However, by and large this is not possible with client-side attacks today,
excluding older broken versions of RIA-players like Flash.

I think the poster is asking if you have new techniques to share like the
old Flash HTTP Header injection.

---
Arian Evans


On Wed, Jun 23, 2010 at 12:43 PM, Kapoor, Nilesh R <NKapoor at ciber.com>wrote:

>  Hi,
>
>
>
> Referer spoofing means sending an invalid/manipulated URL to the
> application. This is usually accomplished by manipulating Referer field in
> HTTP request using a proxy tool (Burp/Paros/Webscarab..etc..). Application
> need to validate the referer field before serving the next request. This has
> nothing to do with client side validation.
>
>
>
> Regards,
>
> Nilesh
>
>
>
> *From:* Joshua Gimer [mailto:jgimer at gmail.com]
> *Sent:* Thursday, June 24, 2010 12:57 AM
> *To:* Jacky Jack
> *Cc:* websecurity at webappsec.org
> *Subject:* Re: [WEB SECURITY] client-side referer spoofing
>
>
>
> On Wed, Jun 23, 2010 at 1:32 AM, Jacky Jack <jacksonsmth698 at gmail.com>
> wrote:
>
> hi
>
> As of now, how can you spoof refer to fool the application that checks
> refer info.
> All of client-side weaknesses have been fixed and now  spoofing
> referer is not possible.
>
>
> Can you please elaborate on what is meant by "All of client-side weaknesses
> have been fixed and now  spoofing
> referer is not possible."?
>
> You should easily be able to spoof the Referer header using a software
> based proxy like burp or webscarab. You can also automate the change using
> Firefox and RefControl (http://www.stardrifter.org/refcontrol/) or netsed
> (http://packetstormsecurity.org/UNIX/misc/netsed.tgz).
>
>
>
> Please share your technique.
>
> Thank you.
>
>
> --
> Thanks,
> Joshua Gimer
>
> ---------------------------
>
> http://www.linkedin.com/in/jgimer
> http://twitter.com/jgimer
> http://itsecops.blogspot.com/
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.webappsec.org/pipermail/websecurity_lists.webappsec.org/attachments/20100623/21a45a7a/attachment.html>


More information about the websecurity mailing list