Using referer field for authentication or authorization

From OWASP
Revision as of 19:14, 27 May 2006 by Jeff Williams (Talk | contribs)

Jump to: navigation, search


Overview

The referrer field (actually spelled 'referer') in HTTP requests can be easily modified and, as such, is not a valid means of message integrity checking.

Consequences

  • Authorization: Actions, which may not be authorized otherwise, can be carried out as if they were validated by the server referred to.
  • Accountability: Actions may be taken in the name of the server referred to.

Exposure period

  • Design: Authentication methods are generally chosen during the design phase of development.

Platform

  • Languages: All
  • Operating platforms: All

Required resources

Any

Severity

High

Likelihood of exploit

Very High

Avoidance and mitigation

  • Design: Use other means of authorization that cannot be simply spoofed.

Discussion

The referrer field in HTML requests can be simply modified by malicious users, rendering it useless as a means of checking the validity of the request in question. In order to usefully check if a given action is authorized, some means of strong authentication and method protection must be used.

Examples

In C/C++:

sock= socket(AF_INET, SOCK_STREAM, 0); 
...
bind(sock, (struct sockaddr *)&server, len) 
...
while (1)
newsock=accept(sock, (struct sockaddr *)&from, &fromlen);
pid=fork();
if (pid==0) {
  n = read(newsock,buffer,BUFSIZE);
...
if (buffer+...==Referer: http://www.foo.org/dsaf.html)
//do stuff

In Java:

public class httpd extends Thread{
  Socket cli;
  public httpd(Socket serv){
    cli=serv;
    start();
  }
  public static void main(String[]a){
  ...
  ServerSocket serv=new ServerSocket(8181);
  for(;;){
    new h(serv.accept());
  ...
   public void run(){
     try{
       BufferedReader reader
         =new BufferedReader(new InputStreamReader(cli.getInputStream()));
       //if i contains a the proper referer.
 
      DataOutputStream o= 
         new DataOutputStream(c.getOutputStream());
      ... 

Any J2EE program that uses the HttpServletRequest.getHeader("referer") to make a decision is also vulnerable.

Related problems

Categories