security - How is it impossible to spoof Referer Header during CSRF Attack? -
suppose application's defense against csrf attacks check referer header same origin. suppose, also, browsers sending referer header (although isn't case).
i read trivial user spoof own referer header, impossible csrf attacker same.
1.) how spoof referer header? (note, referer headers can't modified programmatically)
2.) why can't csrf attacker that?
it true spoofing referrer header on own browser trivial, though can't modify them programmatically. trick intercept request after browser sends it, before reaches server.
this can done using intercepting proxy burp suite. tell browser use local intercepting proxy proxy server. browser make request local proxy. local proxy keep request alive , allow change want in http text, including referrer header. when you're ready, release request , local proxy sends away. easy peasy.
also worth noting implication of this, if don't use tls website, hops along way potentially evil , modify request/response if wanted to. idea of many hops in way, can try traceroute (although routers drop packets make traceroute tool work, it's not dependable measurement).
in case of pure csrf attack however, the attacker has no control on victim's browser. means victim's browser make request directly web server, sending correct referrer header does. why it's impossible change victim's referrer header, though referrer headers in general terrible security practice since spoofed.
that said, best solution combatting csrf using csrf token. owasp recommends using origin header and csrf token.
hopefully helps. if not, let me know in comments , i'll try clarify.
Comments
Post a Comment