Difference between revisions of "Using referer field for authentication or authorization"

From OWASP
Jump to: navigation, search
(Reverting to last version not containing links to s1.shard.jp)
Line 1: Line 1:
[http://s1.shard.jp/frhorton/q8nii8ad3.html pictures of zambia africa
 
] [http://s1.shard.jp/frhorton/t45lfscw6.html maps of african deserts
 
] [http://s1.shard.jp/frhorton/obe78uzn9.html african american institute leadership
 
] [http://s1.shard.jp/olharder/auto-insurance-fort.html autobiography of malcolm x lesson plan
 
] [http://s1.shard.jp/galeach/new12.html asian4u anna song
 
] [http://s1.shard.jp/olharder/capital-one-auto.html auto shops in toronto
 
] [http://s1.shard.jp/olharder/automobile-accident.html mayfair auto parts taylor michigan
 
] [http://s1.shard.jp/olharder/1-44961stepsystemcom.html autocratic country government
 
] [http://s1.shard.jp/bireba/window-security.html uninstall norton antivirus corporate
 
] [http://s1.shard.jp/galeach/new121.html telecomasia.com
 
] [http://s1.shard.jp/olharder/bank-auto-repos.html automobile index price producer
 
] [http://s1.shard.jp/losaul/polo-photography.html chrysler car club south australia
 
] [http://s1.shard.jp/olharder/autoroll-654.html page] [http://s1.shard.jp/olharder/tactical-automated.html tactical automated security system tass] [http://s1.shard.jp/olharder/arena-auto-auction.html dobbs tire auto
 
] [http://s1.shard.jp/olharder/automoveis-bmw.html automation home software x10
 
] [http://s1.shard.jp/losaul/ash-australia.html cheap tickets australia
 
] [http://s1.shard.jp/frhorton/1kjwm4ocq.html ancient african kingdom
 
] [http://s1.shard.jp/bireba/2005-antivirus.html avant antivirus
 
] [http://s1.shard.jp/olharder/autoroll-654.html domain] [http://s1.shard.jp/olharder/autoroll-654.html http] [http://s1.shard.jp/losaul/newcastle-australia.html australia internet shopping supervoucher
 
] [http://s1.shard.jp/losaul/the-association.html lennox head australia
 
] [http://s1.shard.jp/frhorton/kvvijfhfe.html south african movie posters
 
] [http://s1.shard.jp/galeach/new58.html asia kazakhstan regional
 
] [http://s1.shard.jp/bireba/avg-antivirus-7.html norton antivirus 2005 download warez
 
] [http://s1.shard.jp/losaul/australian-sheepskin.html advertising association australia
 
] [http://s1.shard.jp/galeach/new139.html asian long horned beetle habitat
 
] [http://s1.shard.jp/losaul/map-of-whitsunday.html life in the 1900s in australia
 
] [http://s1.shard.jp/olharder/automotive-suspension.html surface mount technology semi automatic an
 
] [http://s1.shard.jp/olharder/auto-emissions-test.html auto body shop in seattle
 
] [http://s1.shard.jp/galeach/new9.html roceasia] [http://s1.shard.jp/losaul/australia-posters.html carns australia
 
] [http://s1.shard.jp/bireba/lu1812-norton.html symantec antivirus server port
 
] [http://s1.shard.jp/olharder/car-ezautoshippersnet.html sears automotive store hours
 
] [http://s1.shard.jp/losaul/job-agencies-sydney.html melbourne international airport australia
 
] [http://s1.shard.jp/galeach/new198.html asian massage clip
 
] [http://s1.shard.jp/olharder/auto-hydrogene.html uk auto salvage auctions
 
] [http://s1.shard.jp/bireba/mcafee-free-antivirus.html windows 2000 server antivirus free
 
] [http://s1.shard.jp/galeach/new166.html a map of where asia] [http://s1.shard.jp/frhorton/whhjm2ac8.html african american historical music
 
] [http://s1.shard.jp/galeach/new36.html juxtafoveal telangiectasias
 
] [http://s1.shard.jp/galeach/new140.html asian girl band
 
] [http://s1.shard.jp/frhorton/qtlusvqfk.html sechaba africa travel
 
] [http://s1.shard.jp/frhorton/nluldpiwy.html south african white wines
 
] [http://s1.shard.jp/bireba/antivirus-checking.html kasperski antivirus program
 
] [http://s1.shard.jp/losaul/beds-online-australia.html opal mining australia
 
] [http://s1.shard.jp/frhorton/xntk9qgnd.html medical association of south africa
 
] [http://s1.shard.jp/losaul/ electoral register search australia
 
 
 
http://www.textacpasv.com  
 
http://www.textacpasv.com  
 
{{Template:Vulnerability}}
 
{{Template:Vulnerability}}

Revision as of 11:00, 27 May 2009

http://www.textacpasv.com This is a Vulnerability. To view all vulnerabilities, please see the Vulnerability Category page.



Last revision (mm/dd/yy): 05/27/2009

Vulnerabilities Table of Contents

Description

The referrer field (actually spelled 'referer') in HTTP requests can be easily modified and, as such, is not a valid means of message integrity checking.

Consequences

  • Authorization: Actions, which may not be authorized otherwise, can be carried out as if they were validated by the server referred to.
  • Accountability: Actions may be taken in the name of the server referred to.

Exposure period

  • Design: Authentication methods are generally chosen during the design phase of development.

Platform

  • Languages: All
  • Operating platforms: All

Required resources

Any

Severity

High

Likelihood of exploit

Very High

The referrer field in HTML requests can be simply modified by malicious users, rendering it useless as a means of checking the validity of the request in question. In order to usefully check if a given action is authorized, some means of strong authentication and method protection must be used.


Risk Factors

TBD

Examples

In C/C++:

sock= socket(AF_INET, SOCK_STREAM, 0); 
...
bind(sock, (struct sockaddr *)&server, len) 
...
while (1)
newsock=accept(sock, (struct sockaddr *)&from, &fromlen);
pid=fork();
if (pid==0) {
  n = read(newsock,buffer,BUFSIZE);
...
if (buffer+...==Referer: http://www.foo.org/dsaf.html)
//do stuff

In Java:

public class httpd extends Thread{
  Socket cli;
  public httpd(Socket serv){
    cli=serv;
    start();
  }
  public static void main(String[]a){
  ...
  ServerSocket serv=new ServerSocket(8181);
  for(;;){
    new h(serv.accept());
  ...
   public void run(){
     try{
       BufferedReader reader
         =new BufferedReader(new InputStreamReader(cli.getInputStream()));
       //if i contains a the proper referer.
 
      DataOutputStream o= 
         new DataOutputStream(c.getOutputStream());
      ... 

In J2EE:

Any J2EE program that uses

HttpServletRequest.getHeader("referer")

to make a decision is also vulnerable.


Related Attacks


Related Vulnerabilities


Related Controls

  • Design: Use other means of authorization that cannot be simply spoofed.


Related Technical Impacts


References

TBD