Using referer field for authentication or authorization

From OWASP
Revision as of 17:44, 13 April 2006 by Jeff Williams (Talk | contribs)

(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
Jump to: navigation, search



Overview

The referrer field in HTTP requests can be easily modified and, as such, is not a valid means of message integrity checking.

Consequences

  • Authorization: Actions, which may not be authorized otherwise, can be carried out as if they were validated by the server referred to.
  • Accountability: Actions may be taken in the name of the server referred to.

Exposure period

  • Design: Authentication methods are generally chosen during the design phase of development.

Platform

  • Languages: All
  • Operating platforms: All

Required resources

Any

Severity

High

Likelihood of exploit

Very High

Avoidance and mitigation

  • Design: Use other means of authorization that cannot be simply spoofed.

Discussion

The referrer field in HTML requests can be simply modified by malicious users, rendering it useless as a means of checking the validity of the request in question. In order to usefully check if a given action is authorized, some means of strong authentication and method protection must be used.

Examples

In C/C++:

sock= socket(AF_INET, SOCK_STREAM, 0); ... bind(sock, (struct sockaddr *)&server, len) ... while (1) newsock=accept(sock, (struct sockaddr *)&from, &fromlen); pid=fork(); if (pid==0) {

 n = read(newsock,buffer,BUFSIZE);

... if (buffer+...==Referer: http://www.foo.org/dsaf.html) //do stuff In Java:

public class httpd extends Thread{

 Socket cli;
 public httpd(Socket serv){
   cli=serv;
   start();
 }
 public static void main(String[]a){
 ...
 ServerSocket serv=new ServerSocket(8181);
 for(;;){
   new h(serv.accept());
 ...
  public void run(){
    try{
      BufferedReader reader
        =new BufferedReader(new InputStreamReader(cli.getInputStream()));
      //if i contains a the proper referer.

     DataOutputStream o= 
        new DataOutputStream(c.getOutputStream());
     ... 

Related problems

  • Trusting self-reported IP address
  • Using the referer field for authentication

Categories