[WEB SECURITY] client-side referer spoofing

James Manico jim at manico.net
Wed Jun 23 20:58:21 EDT 2010


Referrer headers leak on SSL pages - but only when users click on
other SSL pages (on most browsers from just a few months back).

Jim Manico

On Jun 23, 2010, at 1:08 PM, mckt <mckt at skeptikal.org> wrote:

> On 06/23/2010 01:20 PM, Arian J. Evans wrote:
>> I think the original poster is asking:
>>
>> "How do you spoof/forge the Referer field when performing a client-side
>> attack like XSS or HTTP/RS or CSRF?"
>>
>> Their question makes sense if you read it that way. Obviously we all
>> know if you can craft the raw HTTP request you can put whatever you like
>> anywhere in it, including arbitrary HTTP Header injection/manipulation.
>>
>> However, by and large this is not possible with client-side attacks
>> today, excluding older broken versions of RIA-players like Flash.
>>
>> I think the poster is asking if you have new techniques to share like
>> the old Flash HTTP Header injection.
>
> I have old techniques to share. I admit I haven't fully kept up on which ones work and which don't with which browsers. Your mileage may vary.
>
> Check whether you can send an empty referer (most apps allow it, to make sure paranoids like us can use the app). If so, you may be able to strip referers using a variety of techniques- SSL, get the victim to click a link from a non-website (email, IM, etc).
>
> If they're just checking the domain against a whitelist, look for open redirects.
>
> Remember to take a look at the crossdomain.xml file- issues there may allow you to forge headers with Flash objects.
>
> --
> Mike Bailey
> http://skeptikal.org
>
> ----------------------------------------------------------------------------
> Join us on IRC: irc.freenode.net #webappsec
>
> Have a question? Search The Web Security Mailing List Archives: http://www.webappsec.org/lists/websecurity/archive/
>
> Subscribe via RSS: http://www.webappsec.org/rss/websecurity.rss [RSS Feed]
>
> To unsubscribe email websecurity-unsubscribe at webappsec.org and reply to the confirmation email
>
> Join WASC on LinkedIn http://www.linkedin.com/e/gis/83336/4B20E4374DBA
>
> WASC on Twitter
> http://twitter.com/wascupdates
>

----------------------------------------------------------------------------
Join us on IRC: irc.freenode.net #webappsec

Have a question? Search The Web Security Mailing List Archives: 
http://www.webappsec.org/lists/websecurity/archive/

Subscribe via RSS: 
http://www.webappsec.org/rss/websecurity.rss [RSS Feed]

To unsubscribe email websecurity-unsubscribe at webappsec.org and reply to 
the confirmation email

Join WASC on LinkedIn 
http://www.linkedin.com/e/gis/83336/4B20E4374DBA

WASC on Twitter
http://twitter.com/wascupdates



More information about the websecurity mailing list