K
K
krs2013-07-12 20:33:08
HTTP headers
krs, 2013-07-12 20:33:08

Can HTTP_REFERER be trusted (read the question first)?

Of course, it should be filtered upon receipt, because. there is no problem to fake it with the direct participation of an attacker (the same telnet, etc.), but my question is not about that. There is an article "Forging HTTP request headers using Flash ActionScript" ( www.securitylab.ru/analytics/271169.php), which shows a good example of forging HTTP_REFERER transparently for the user in a certain version of the browser with the flash player enabled. Actually, the question for specialists is whether this header can be trusted to identify the page - the initiator of the request, adjusted for the fact that we are facing a regular user. Can an attacker forge a request in a modern browser (browsers whose percentage is currently at least higher than 1 of the total Internet traffic). Or is it still better to sign each such request?

Answer the question

In order to leave comments, you need to log in

6 answer(s)
N
Nikita Gusakov, 2013-07-12
@hell0w0rd

Of course not. This is what the client sends.
The easiest way to check this is one of the curl options:
-e, --referer Referer URL (H)

M
Maxim Dyachenko, 2013-07-12
@Mendel

for XSRF it is better to use tokens.
Even if all combinations of user software will protect the referrer, then no one knows what vulnerability will be found tomorrow.
When I was last interested in this (long ago) the possibility of an attack took place.

S
Sergey Belov, 2013-07-16
@BeLove

At the moment, there are no actual ways to fake a referer in the user's browser if a specific answer to the question is required.

E
egorinsk, 2013-07-13
@egorinsk

If you make games with cross-domain authorization, put a signature. Some browser plugins and proxies cut out the referer, you will end up with some users not having a referrer and spend a lot of time figuring out why.

A
Andrey Burov, 2013-07-14
@BuriK666

You cannot trust any data that comes from the user!
(PS: these are generally the basics of WEB development)

R
rozhik, 2013-07-17
@rozhik

If the problem is that on a standard unmodified browser, without privacy filters, do not give:
1 3 insert a hotlink to the content on the third party
2 the user go directly to the
XHR page 3 from the third party site
You can.
But I recommend signing serious requests. For more than a third of users have old browser software. And to it you can find many holes in flash, java, or something else that would allow a third party to simulate a transition with an incorrect referrer.

Didn't find what you were looking for?

Ask your question

Ask a Question

731 491 924 answers to any question