Reputation: 527
How is it impossible to spoof Referer Header during CSRF Attack?
Suppose that an application's only defense against CSRF Attacks is to check the referer header for the same origin. Suppose, also, that all browsers will be sending the referer header (although this isn't always the case).
I read that it is trivial for a user to spoof his own referer header, but that it is IMPOSSIBLE for a CSRF attacker to do the same.
1.) How do you spoof a referer header? (Note, referer headers can't be modified programmatically)
2.) Why can't a CSRF attacker do that?
Upvotes: 2
Views: 3946
Answers (1)
Reputation: 11933
It is true that spoofing a referrer header on your own browser is trivial, even though you can't modify them programmatically. The trick is to intercept the request after the browser sends it, but before it reaches the server.
This can be easily done using an intercepting proxy like Burp Suite. Basically you tell the browser to use the local intercepting proxy as a proxy server. Then the browser will make the request to your local proxy. The local proxy will keep the request alive and allow you to change anything you want in the HTTP text, including the referrer header. When you're ready, you simply release the request and the local proxy sends it away. Easy peasy.
Also worth noting is the implication of this, that if you don't use TLS with your website, any hops along the way could potentially be evil and modify the request/response if they wanted to. To get an idea of the many hops in the way, you can try a traceroute (although some routers will simply drop the packets that make the traceroute tool work, so it's not a dependable measurement).
In the case of a pure CSRF attack however, the attacker has no control over the victim's browser. This means that the victim's browser will make the request directly to the web server, sending the correct referrer header like it always does. This is why it's impossible to change the victim's referrer header, even though referrer headers in general are terrible security practice since they are so easily spoofed.
That all said, the best solution for combatting CSRF is by using a CSRF token. OWASP recommends using the origin header and a CSRF token.
Hopefully this helps. If not, let me know in the comments and I'll try to clarify.
Upvotes: 4
Related Questions
- Why can't a malicious site obtain a CSRF token via GET before attacking?
- Is checking the referrer enough to protect against a CSRF attack?
- how does this protect against csrf attacks?
- CSRF using AJAX. Why is it possible?
- Is it possible to have CSRF if developer mitigates by referrer header
- CSRF-Prevention: No origin and referer header - how handle?
- Is just checking the Referer header enough to prevent CSRF?
- How do CSRF tokens protect from malicious GET followed by POST in another tab
- How do you spoof HTTP_REFERER?
- Doubt on prevention of CSRF