Re: HTTP REFERER not set in Internet Explorer

["Amit Klein (AKsecurity)" <aksecurity () hotpop com>]

On 16 Nov 2005 at 8:16, Saqib Ali wrote:

> Hello,
>
> I am writing a secure application that tracks users on a website by
> use of HTTP_REFERER. But see like Internet Explorer is not properly
> populating this field.
>
> Visit the following website using IE and Firefox.
> http://www.xml-dev.com/blog/referer_test.php
>
> And click on the Link that says "Click Here"
>
> With Firefox, the correct HTTP_REFERER will be displayed after you
> click the link. But with I.E. the HTTP_REFERER is set to blank.
>
> Has anyone ran into this issue? 

I ran into similar issues - IE doesn't send the Referer when you use JS in a "raw" way.

How did you make your application
> compatible with both I.E and Mozilla based browsers?

You could try to do it via JS in a more "user-like" way, such as to create a anchor tag and 
simulate a click via JS code. If I remember correctly, this should produce a Referer in IE.

> Because of some security concerns I need the HTTP_REFERER to be set
> correctly.

I'm sure you're aware of the fact that a Referer can be easily spoofed using any non-
browser HTTP tool. Moreover, even if a victim uses a standard browser, an attacker may be 
able to force the browser (IE) to emit a spoofed Referer header in some cases, see my 
writeup "Exploiting the XmlHttpRequest object in IE - Referrer spoofing, and a lot more..." 
at http://www.securityfocus.com/archive/1/411585

-Amit