...

View Full Version : spoofing HTTP_REFERER?



chump2877
11-22-2006, 02:48 AM
I have a form using the GET method.

I was wondering if I could protect myself (and my form) from remote form submissions by using a HTTP_REFERER check.

I don't see a way of spoofing the HTTP_REFERER if my form uses the GET method.

Now, if I were to use POST as my method, then spoofing the HTTP_REFERER is as easy as adding a REFERER value to the HTTP headers of my form results page.

But with GET, am I safe to use an HTTP_REFERER check on my form's results page, to ensure that the form's submission is only initiated on MY server? So that someone can;t mimic my form's submission on another server? Would this work? Is there a way a hacker might beat this?

Thanks.

SeeIT Solutions
11-22-2006, 06:13 AM
I'd use a session or cookie that gets set on the form page and checked on the results page.

marek_mar
11-22-2006, 06:54 AM
But with GET, am I safe to use an HTTP_REFERER check on my form's results page, to ensure that the form's submission is only initiated on MY server? So that someone can;t mimic my form's submission on another server? Would this work? Is there a way a hacker might beat this?

It's only as easy as it's with POST. What about those not sending the referrer at all?

CFMaBiSmAd
11-22-2006, 07:21 AM
HTTP_REFERER, one of my favorite subjects. All of the HTTP_xxxxxx variables are set through headers sent by the browser/script that is making the request to the web server. They are optional and can be set to anything. You cannot rely on them being present and you cannot rely on the contents. The popular phpproxy script specifically sets HTTP_REFERER to be the same as the URL that is being requested.

Whether you use the GET or POST method makes no difference (GET is a little easier to abuse, you only need to form a url to submit to your processing code.)

Do what SeeIT Solutions suggests, but use a session. If you destroy the session within the form processing code, no one can make a copy of the session cookie that is sent and reuse it. If you use a cookie, it would require you to save and remember a unique value, then delete this remembered value, requiring more code (this saving/remembering the unique value is what the session id is doing when using sessions to accomplish this.)

chump2877
11-22-2006, 07:25 AM
This is more of a hypothetical question if anything else...I haven;t written any code yet....

Let's assume that sessions and cookies aren't an option. Let's also assume that the user agent is sending a HTTP REFERER value. (I'm trying to isolate the effectiveness of HTTP_REFERER in a controled situation)

I simply want to know if HTTP_REFERER would be reliable in this scenario.

If someone could spoof the HTTP_REFERER in this scenario, how would they do it? I don;t see a way....do you?

CFMaBiSmAd
11-22-2006, 07:39 AM
Using curl, the following sets HTTP_REFERER to what ever you want...

curl_setopt($c, CURLOPT_REFERER, 'http://www.yourdomain.com/yourformcode.php');
Edit: Also, using curl, I can send you cookies with anything I want and I can make it look like the request is being made by a browser instead of a script...

Edit2: More info for the GET method, the form values are sent as part of the URL, but when the URL is sent to the web server, headers are still exchanged in both directions. The GET method is not header-less.

chump2877
11-22-2006, 07:46 AM
Whether you use the GET or POST method makes no difference (GET is a little easier to abuse, you only need to form a url to submit to your processing code.)

So if GET requires you to send data via the URL and not via the HTTP headers (or maybe that's wrong?), how could one spoof the HTTP REFERER in the HTTP headers of the GET form's processing code? I guess I see how its done with a POST form submission, but not with a GET form submission, thats all...I don;t see how you can open the equivalent of a socket connection to the subsequent page, write to the HTTP headers, and pass a REFERER value via a GET form (AND pass all of the form data to the subsequent page as well via the URL)...

I'm just trying to figure out how this all works...I'm sure I'm missing something silly or simple...thanks.

CFMaBiSmAd
11-22-2006, 07:50 AM
I was editing the above post with the answer at the same time you were asking the question. I guess mind reading does work over the Internet.

chump2877
11-22-2006, 07:54 AM
Using curl, the following sets HTTP_REFERER to what ever you want...

curl_setopt($c, CURLOPT_REFERER, 'http://www.yourdomain.com/yourformcode.php');Edit: Also, using curl, I can send you cookies with anything I want and I can make it look like the request is being made by a browser instead of a script...

Edit2: More info for the GET method, the form values are sent as part of the URL, but when the URL is sent to the web server, headers are still exchanged in both directions. The GET method is not header-less.

Perhaps I need to read up on curl and how its used...In the past I've only ever used fsockopen() to establish a socket connection (seemed to work for me), so I don;t know much about curl...So you are saying that using curl in this instance, one could beat my hypothetical GET form and my HTTP REFERER check?

chump2877
11-22-2006, 07:58 AM
I was editing the above post with the answer at the same time you were asking the question. I guess mind reading does work over the Internet.

Haha, I appreciate the help :)

CFMaBiSmAd
11-22-2006, 08:10 AM
Check out the 05-May-2006 04:01 user contributed code at this link - http://us2.php.net/curl

This code can do both get and post (apparently the GET method is curl's default as you must set the CURLOPT_POST option for the POST method.) The CURLOPT_REFERER would just need to be added to this code.

chump2877
11-22-2006, 08:30 AM
Check out the 05-May-2006 04:01 user contributed code at this link - http://us2.php.net/curl

This code can do both get and post (apparently the GET method is curl's default as you must set the CURLOPT_POST option for the POST method.) The CURLOPT_REFERER would just need to be added to this code.

thanks, that code clears things up...Now I'm doubly convinced that HTTP REFERER is unreliable ;)

marek_mar
11-22-2006, 10:40 AM
s assume that sessions and cookies aren't an option.
Sessions are always an option. If you can't use cookies you append the id to the url. There is no real possibitity of that not working.
With sessions you can implement a referrer system for your site which will always work for you.

felgall
11-22-2006, 11:43 PM
To ensure their privacy many web users configure their browser or firewall to NOT send anything in the referrer field.



EZ Archive Ads Plugin for vBulletin Copyright 2006 Computer Help Forum