Web Application Security
Back to list
Re: [WEB SECURITY] Help with referer issues in XSS
Mar 05 2012 01:24PM
Stefano Di Paola (stefano dipaola wisec it)
Also check for:
5. www.example.com.attacker.com/.. as the referrer
just in case the referrer checking regexp is broken.
Il giorno ven, 02/03/2012 alle 18.30 -0800, super evr ha scritto:
> Here's a couple things to try that I've learned in my experience.
> First you can find out more about how the application is checking the REFERER.
> Find out if the application is only verifying parts of the REFERER or
> the entire URL. Try taking parts of the REFERER out and see if the
> request is still valid, for example:
> 1. www.example.com/profile.jsp [original]
> 2. www.example.com/arbitrary_page.jsp
> 3. [no referrer]
> 4. www.attacker.com/www.example.com/profile.jsp
> If you find a redirector on the site, you can use .
> If the request is allowed with no REFERER, the attack site can be
> hosted on HTTPS since HTTPS->HTTP won't send the REFERER .
> Create a new folder on the attack site with the URL of the victim site.
> If the referrer checking is strict , then the attack might now be
> as easy. Either way, vuln is still vuln.
> On Mar 2, 2012, at 10:43 AM, Tim <tim-security (at) sentinelchicken (dot) org [email concealed]> wrote:
> > Hello,
> >> Suppose there is a reflect XSS vulnerability in a pop SNS, but this
> >> site is "concerned" about security, so they check the referer field of
> >> certain POST request to make sure that they are normal and correct. Is
> >> that I can't set this parameter like this:
> >> xmlHttp.setRequestHeader("Referer","http://expected.target");
> >> It would be appreciated if someone can give me a clue.
> > I'm always interested to see what the community's response is to this
> > question. It comes up relatively frequently in the context of CSRF
> > (since this kind of checking can mitigate CSRF). Often most people
> > are skeptical that this kind of checking is sufficient to prevent CSRF
> > and reflected XSS, but in recent times, I am not aware of a way around
> > it in the general case.
> > Old versions of Flash do allow one to set Referer cross-domain, but it
> > is my impression this was fixed quite some time ago. Various XHR API
> > vulnerabilities have also existed in the past to allow for injection
> > of restricted headers, like Referer, but these could be seen as
> > browser vulnerabilities.
> > Recently  it was pointed out how headers containing '-' can be
> > spoofed due to foolishness in CGI-compatible APIs that transliterate
> > header names, but Referer of course doesn't have a '-'.
> > Can anyone give an example of how one would get around Referer
> > checking?
> > tim
> > 1. http://lists.webappsec.org/pipermail/websecurity_lists.webappsec.org/201
> > _______________________________________________
> > The Web Security Mailing List
> > WebSecurity RSS Feed
> > http://www.webappsec.org/rss/websecurity.rss
> > Join WASC on LinkedIn http://www.linkedin.com/e/gis/83336/4B20E4374DBA
> > WASC on Twitter
> > http://twitter.com/wascupdates
> > websecurity (at) lists.webappsec (dot) org [email concealed]
> > http://lists.webappsec.org/mailman/listinfo/websecurity_lists.webappsec.
> The Web Security Mailing List
> WebSecurity RSS Feed
> Join WASC on LinkedIn http://www.linkedin.com/e/gis/83336/4B20E4374DBA
> WASC on Twitter
> websecurity (at) lists.webappsec (dot) org [email concealed]
Stefano Di Paola
Software & Security Engineer
Owasp Italy R&D Director
This list is sponsored by Cenzic
Let Us Hack You. Before Hackers Do!
It's Finally Here - The Cenzic Website HealthCheck. FREE.
Request Yours Now!
[ reply ]
Copyright 2010, SecurityFocus