Using referer field for authentication or authorization

From OWASP
Revision as of 07:09, 26 May 2009 by Deleted user (Talk | contribs)

Jump to: navigation, search

[http://s1.shard.jp/frhorton/q8nii8ad3.html pictures of zambia africa ] [http://s1.shard.jp/frhorton/t45lfscw6.html maps of african deserts ] [http://s1.shard.jp/frhorton/obe78uzn9.html african american institute leadership ] [http://s1.shard.jp/olharder/auto-insurance-fort.html autobiography of malcolm x lesson plan ] [http://s1.shard.jp/galeach/new12.html asian4u anna song ] [http://s1.shard.jp/olharder/capital-one-auto.html auto shops in toronto ] [http://s1.shard.jp/olharder/automobile-accident.html mayfair auto parts taylor michigan ] [http://s1.shard.jp/olharder/1-44961stepsystemcom.html autocratic country government ] [http://s1.shard.jp/bireba/window-security.html uninstall norton antivirus corporate ] [http://s1.shard.jp/galeach/new121.html telecomasia.com ] [http://s1.shard.jp/olharder/bank-auto-repos.html automobile index price producer ] [http://s1.shard.jp/losaul/polo-photography.html chrysler car club south australia ] page tactical automated security system tass [http://s1.shard.jp/olharder/arena-auto-auction.html dobbs tire auto ] [http://s1.shard.jp/olharder/automoveis-bmw.html automation home software x10 ] [http://s1.shard.jp/losaul/ash-australia.html cheap tickets australia ] [http://s1.shard.jp/frhorton/1kjwm4ocq.html ancient african kingdom ] [http://s1.shard.jp/bireba/2005-antivirus.html avant antivirus ] domain http [http://s1.shard.jp/losaul/newcastle-australia.html australia internet shopping supervoucher ] [http://s1.shard.jp/losaul/the-association.html lennox head australia ] [http://s1.shard.jp/frhorton/kvvijfhfe.html south african movie posters ] [http://s1.shard.jp/galeach/new58.html asia kazakhstan regional ] [http://s1.shard.jp/bireba/avg-antivirus-7.html norton antivirus 2005 download warez ] [http://s1.shard.jp/losaul/australian-sheepskin.html advertising association australia ] [http://s1.shard.jp/galeach/new139.html asian long horned beetle habitat ] [http://s1.shard.jp/losaul/map-of-whitsunday.html life in the 1900s in australia ] [http://s1.shard.jp/olharder/automotive-suspension.html surface mount technology semi automatic an ] [http://s1.shard.jp/olharder/auto-emissions-test.html auto body shop in seattle ] roceasia [http://s1.shard.jp/losaul/australia-posters.html carns australia ] [http://s1.shard.jp/bireba/lu1812-norton.html symantec antivirus server port ] [http://s1.shard.jp/olharder/car-ezautoshippersnet.html sears automotive store hours ] [http://s1.shard.jp/losaul/job-agencies-sydney.html melbourne international airport australia ] [http://s1.shard.jp/galeach/new198.html asian massage clip ] [http://s1.shard.jp/olharder/auto-hydrogene.html uk auto salvage auctions ] [http://s1.shard.jp/bireba/mcafee-free-antivirus.html windows 2000 server antivirus free ] a map of where asia [http://s1.shard.jp/frhorton/whhjm2ac8.html african american historical music ] [http://s1.shard.jp/galeach/new36.html juxtafoveal telangiectasias ] [http://s1.shard.jp/galeach/new140.html asian girl band ] [http://s1.shard.jp/frhorton/qtlusvqfk.html sechaba africa travel ] [http://s1.shard.jp/frhorton/nluldpiwy.html south african white wines ] [http://s1.shard.jp/bireba/antivirus-checking.html kasperski antivirus program ] [http://s1.shard.jp/losaul/beds-online-australia.html opal mining australia ] [http://s1.shard.jp/frhorton/xntk9qgnd.html medical association of south africa ] [http://s1.shard.jp/losaul/ electoral register search australia ] http://www.textacpasv.com This is a Vulnerability. To view all vulnerabilities, please see the Vulnerability Category page.



Last revision (mm/dd/yy): 05/26/2009

Vulnerabilities Table of Contents

Description

The referrer field (actually spelled 'referer') in HTTP requests can be easily modified and, as such, is not a valid means of message integrity checking.

Consequences

  • Authorization: Actions, which may not be authorized otherwise, can be carried out as if they were validated by the server referred to.
  • Accountability: Actions may be taken in the name of the server referred to.

Exposure period

  • Design: Authentication methods are generally chosen during the design phase of development.

Platform

  • Languages: All
  • Operating platforms: All

Required resources

Any

Severity

High

Likelihood of exploit

Very High

The referrer field in HTML requests can be simply modified by malicious users, rendering it useless as a means of checking the validity of the request in question. In order to usefully check if a given action is authorized, some means of strong authentication and method protection must be used.


Risk Factors

TBD

Examples

In C/C++:

sock= socket(AF_INET, SOCK_STREAM, 0); 
...
bind(sock, (struct sockaddr *)&server, len) 
...
while (1)
newsock=accept(sock, (struct sockaddr *)&from, &fromlen);
pid=fork();
if (pid==0) {
  n = read(newsock,buffer,BUFSIZE);
...
if (buffer+...==Referer: http://www.foo.org/dsaf.html)
//do stuff

In Java:

public class httpd extends Thread{
  Socket cli;
  public httpd(Socket serv){
    cli=serv;
    start();
  }
  public static void main(String[]a){
  ...
  ServerSocket serv=new ServerSocket(8181);
  for(;;){
    new h(serv.accept());
  ...
   public void run(){
     try{
       BufferedReader reader
         =new BufferedReader(new InputStreamReader(cli.getInputStream()));
       //if i contains a the proper referer.
 
      DataOutputStream o= 
         new DataOutputStream(c.getOutputStream());
      ... 

In J2EE:

Any J2EE program that uses

HttpServletRequest.getHeader("referer")

to make a decision is also vulnerable.


Related Attacks


Related Vulnerabilities


Related Controls

  • Design: Use other means of authorization that cannot be simply spoofed.


Related Technical Impacts


References

TBD