Reputation: 919
Is $_SERVER['HTTP_REFERER'] dangerous, if I use a array of predefined URL's for validation?
I am doing a login page for my application. When a user wants to go to "myaccount.php" but he's not logged in, he's redirected to login.php.
When login is successful, I want him to be redirected to $_SERVER['HTTP_REFERER'], which will be various pages of my application.
I read on forum that ['HTTP_REFERER'] can be dangerous.
But what if I create an array like ('myaccount.php','mycart.php', etc...) and compare this array to $_SERVER['HTTP_REFERER'], will this protect me against potential malicious use of this feature?
Upvotes: 1
Views: 853
Answers (3)
Reputation: 6743
$_SERVER["HTTP_REFERER"] is not dangerous - it's just attacker controlled. It won't hurt you unless you trust it for granting extra permissions to someone (e.g. don't assume that someone who just came from successful-login.php has successfully logged in!)
Redirecting a user doesn't grant any special permissions to the user, so redirecting an attacker to an attacker-controlled string does not compromise your server's security in any way.
Upvotes: 0
Reputation: 39356
I read on forum that
['HTTP_REFERER']can be dangerous.
I believe the two most common flaws associated with this are header injection and open redirect
If you only allow redirection based on an internal set of whitelisted URLs, like you've suggested, however, then I don't see a problem.
Upvotes: 2
Reputation: 270617
In this case, it is not particularly dangerous to redirect to $_SERVER['HTTP_REFERRER'] because if the end user was doing something malicious, he would just end up redirected at the referrer maliciously injected. As long as you check permissions at the beginning of each script, it would not be possible for the user to reach an area of your site that he should not have access to (like an admin console). If, however, you failed to check permissions on each script and a user crafted a false referrer header, it could be used to direct into an area of your site that isn't supposed to be accessible.
In general though, HTTP_REFERRER isn't a particular source of danger. It just cannot be relied on to be set and to hold correct information.
Upvotes: 5
Related Questions
- validate url array?
- $_SERVER['HTTP_REFERER'] is it ok to use it with multiple forms
- Risk of checking string of URL with $_SERVER['REQUEST_URI']
- Is validating $_SERVER["HTTP_REFERER"] against a known URL safe?
- HTTP_referer for multiple URL's
- Is HTTP REFERER safe enough?
- use of $_SERVER['HTTP_REFERER']
- PHP check http referer for form submitted by AJAX, secure?
- is $_SERVER['HTTP_REFERER'] safe?
- If $_SERVER['HTTP_REFERER'] is unreliable, what will I use instead to ensure web-app integrity?