Vulnerability Development mailing list archives

Re: Q: How to strip http-referer field?

From: Blue Boar <BlueBoar () THIEVCO COM>
Date: Wed, 6 Sep 2000 22:50:46 -0700

Lincoln Yeoh wrote:


Hi,

Say I have a web mail/messaging program that allows viewing of html ( yes I
know that's not so safe but y'know how it is).

Currently I translate all links to point to a custom fastcgi perl script
which 302 redirects the user if urls are ok looking but displays an error
page if there are GET style parameters or other weird stuff in the URL
(file://...), with a click option to the offending URL if the user is brave
enough. Yes this breaks inline images  with funny urls, but erm so far no
complaints ;).


There has been a lot of discussion about how to squeeze "bad" stuff past
these kinds of filters.  Do you handle all the stuff that has been
identified
so far?  Javascript seems to be the biggest worry at present.


Question is: would it be worth stripping out the http-referer when the user
retrieves foreign links from the displayed html page (either directly or
via img src or other means).


Most likely.  Many web-mail programs use GET methods to switch between
screens,
and unfortunately put sensitive info the in URLs they GET, enough to
authenticate
as the users, if the attacker is quick enough.  If you don't strip the
referrer
stuff, your URL will show up in my web logs.


If it's worth it, any ideas how to do it reliably?  Currently most browsers
still maintain the old referer field value past any 302 redirects.


Sorry.. your question implied that you had a proxy in place to do this.  If
not,
how about popping some innocuous page first, that has a client-side pull
to do the real GET?


Proxying and fetching the actual content would be too resource intensive.
The main trouble is these img src links, html could be done by a meta
refresh page.

I suppose I would have to make sure that a very boring url is used to view
the HTML message?


Or just use PUT instead of GET for your mail processing.


Cheerio,
Link.

p.s. Yes it should be spelt referrer.


Yup.  Fun little spelling error that made it into the official spec.

                                                BB

Current thread:

Q: How to strip http-referer field? Lincoln Yeoh (Sep 06)
- Re: Q: How to strip http-referer field? Blue Boar (Sep 06)
- Re: How to strip http-referer field? Domenico De Vitto (Sep 12)