miércoles, 26 de agosto de 2020

CSRF Referer Header Strip

Intro

Most of the web applications I see are kinda binary when it comes to CSRF protection; either they have one implemented using CSRF tokens (and more-or-less covering the different functions of the web application) or there is no protection at all. Usually, it is the latter case. However, from time to time I see application checking the Referer HTTP header.

A couple months ago I had to deal with an application that was checking the Referer as a CSRF prevention mechanism, but when this header was stripped from the request, the CSRF PoC worked. BTW it is common practice to accept empty Referer, mainly to avoid breaking functionality.

The OWASP Cross-Site Request Forgery (CSRF) Prevention Cheat Sheet tells us that this defense approach is a baaad omen, but finding a universal and simple solution on the Internetz to strip the Referer header took somewhat more time than I expected, so I decided that the stuff that I found might be useful for others too.

Solutions for Referer header strip

Most of the techniques I have found were way too complicated for my taste. For example, when I start reading a blog post from Egor Homakov to find a solution to a problem, I know that I am going to:
  1. learn something very cool;
  2. have a serious headache from all the new info at the end.
This blog post from him is a bit lighter and covers some useful theoretical background, so make sure you read that first before you continue reading this post. He shows a few nice tricks to strip the Referer, but I was wondering; maybe there is an easier way?

Rich Lundeen (aka WebstersProdigy) made an excellent blog post on stripping the Referer header (again, make sure you read that one first before you continue). The HTTPS to HTTP trick is probably the most well-known one, general and easy enough, but it quickly fails the moment you have an application that only runs over HTTPS (this was my case).

The data method is not browser independent but the about:blank trick works well for some simple requests. Unfortunately, in my case the request I had to attack with CSRF was too complex and I wanted to use XMLHttpRequest. He mentions that in theory, there is anonymous flag for CORS, but he could not get it work. I also tried it, but... it did not work for me either.

Krzysztof Kotowicz also wrote a blog post on Referer strip, coming to similar conclusions as Rich Lundeen, mostly using the data method.

Finally, I bumped into Johannes Ullrich's ISC diary on Referer header and that led to me W3C's Referrer Policy. So just to make a dumb little PoC and show that relying on Referer is a not a good idea, you can simply use the "referrer" meta tag (yes, that is two "r"-s there).

The PoC would look something like this:
<html>
  <meta name="referrer" content="never">
  <body>
    <form action="https://vistimsite.com/function" method="POST">
      <input type="hidden" name="param1" value="1" />
      <input type="hidden" name="param2" value="2" />
      ...
    </form>
    <script>
      document.forms[0].submit();
    </script>
  </body>
</html>

Conclusion

As you can see, there is quite a lot of ways to strip the Referer HTTP header from the request, so it really should not be considered a good defense against CSRF. My preferred way to make is PoC is with the meta tag, but hey, if you got any better solution for this, use the comment field down there and let me know! :)

Related posts
  1. Pentest Tools For Windows
  2. Hacking Tools Pc
  3. Hacking Tools For Windows
  4. Hacking Tools Free Download
  5. Hacker Tools
  6. Hacks And Tools
  7. Hacker Tools Free
  8. Pentest Tools Apk
  9. Pentest Tools Github
  10. Hacker
  11. Hacker Search Tools
  12. Hacker Tools Github
  13. Hacker Security Tools
  14. Hacking Tools For Pc
  15. Pentest Reporting Tools
  16. Pentest Tools For Windows
  17. Hacking Tools Free Download
  18. Easy Hack Tools
  19. Hack And Tools
  20. Install Pentest Tools Ubuntu
  21. Best Hacking Tools 2020
  22. Pentest Tools Github
  23. Hacking Tools Online
  24. Pentest Tools Tcp Port Scanner
  25. Black Hat Hacker Tools
  26. Hacking Tools For Windows Free Download
  27. Hack Tools Github
  28. Hacking Tools Mac
  29. Pentest Tools Website
  30. Pentest Tools For Windows
  31. Kik Hack Tools
  32. Github Hacking Tools
  33. Blackhat Hacker Tools
  34. Hacking Tools Name
  35. Hacking Tools Hardware
  36. How To Make Hacking Tools
  37. Termux Hacking Tools 2019
  38. Hack Tools Mac
  39. Nsa Hack Tools
  40. New Hack Tools
  41. Underground Hacker Sites
  42. Hacking Tools Free Download
  43. Pentest Recon Tools
  44. Hacking Tools Free Download
  45. Pentest Tools Android
  46. Hacker Tools For Ios
  47. Tools Used For Hacking
  48. Hack App
  49. Hacker Tool Kit
  50. Hacker Tools Free
  51. Pentest Tools For Windows
  52. Pentest Tools Github
  53. Hacking Tools For Windows Free Download
  54. Hacking Tools For Windows Free Download
  55. Kik Hack Tools
  56. Hacking Tools Name
  57. How To Install Pentest Tools In Ubuntu
  58. Tools 4 Hack
  59. Termux Hacking Tools 2019
  60. Hack Tools
  61. Hacker Tools 2019
  62. Hack Tools Download
  63. Hacking Tools For Games
  64. Hackrf Tools
  65. Pentest Tools Apk
  66. Pentest Tools For Android
  67. Hacker Tools Free
  68. Pentest Tools Download
  69. Hacker Tools Mac
  70. Pentest Tools Website Vulnerability
  71. Hack Tools For Ubuntu
  72. What Are Hacking Tools
  73. Install Pentest Tools Ubuntu
  74. Hack Tools Github
  75. Hack Tools Mac
  76. Hack Tool Apk No Root
  77. Hackrf Tools
  78. Pentest Tools Open Source
  79. Hack Tools Pc
  80. World No 1 Hacker Software
  81. Hacker Tools Software
  82. Hacking Tools Download
  83. Pentest Tools Nmap
  84. Pentest Reporting Tools
  85. Hack Tools For Windows
  86. Hacking Tools Download
Publicado por en

No hay comentarios:

Publicar un comentario

Suscribirse a: Enviar comentarios (Atom)