The referer field in HTTP requests can be easily modified and,
as such, is not a valid means of message integrity
checking.
Alternate Terms
referrer:
While the proper spelling might be regarded as "referrer," the HTTP
RFCs and their implementations use "referer," so this is regarded as the
correct spelling.
Time of Introduction
Architecture and Design
Applicable Platforms
Languages
All
Common Consequences
Scope
Effect
Authorization
Actions, which may not be authorized otherwise, can be carried out as
if they were validated by the server referred to.
Accountability
Actions may be taken in the name of the server referred to.
Likelihood of Exploit
High
Demonstrative Examples
Example 1
(Bad Code)
C and C++
sock= socket(AF_INET, SOCK_STREAM, 0);
...
bind(sock, (struct sockaddr *)&server, len)
...
while (1) newsock=accept(sock, (struct sockaddr *)&from,
&fromlen);
pid=fork();
if (pid==0) {
n = read(newsock,buffer,BUFSIZE);
...
if (buffer+...==Referer: http://www.foo.org/dsaf.html) //do
stuff
(Bad Code)
Java
public class httpd extends Thread {
Socket cli;
public httpd(Socket serv) {
cli=serv;
start();
}
public static void main(String[] a) {
...
ServerSocket
serv=new ServerSocket(8181);
for(;;) {
new h(serv.accept());
...
public void run() {
try {
BufferedReader reader = new BufferedReader(new
InputStreamReader(cli.getInputStream())); //if i
contains a the proper referer.
DataOutputStream o= new
DataOutputStream(c.getOutputStream());
...
Potential Mitigations
Phase
Description
Architecture and Design
In order to usefully check if a given action is authorized, some means
of strong authentication and method protection must be used. Use other
means of authorization that cannot be simply spoofed. Possibilities
include a username/password or certificate.
Background Details
The referer field in HTML requests can be simply modified by malicious
users, rendering it useless as a means of checking the validity of the
request in question.
Description
