WebApp Sec mailing list archives

Previous By Date Next
Previous By Thread Next

Re: [WEB SECURITY] Help with referer issues in XSS

From: Stefano Di Paola <stefano.dipaola () wisec it>
Date: Mon, 05 Mar 2012 14:24:07 +0100
Also check for:

5. www.example.com.attacker.com/..  as the referrer 

just in case the referrer checking regexp is broken.

Cheers
Stefano

Il giorno ven, 02/03/2012 alle 18.30 -0800, super evr ha scritto:

Here's a couple things to try that I've learned in my experience.

First you can find out more about how the application is checking the REFERER.
Find out if the application is only verifying parts of the REFERER or
the entire URL. Try taking parts of the REFERER out and see if the
request is still valid, for example:
1. www.example.com/profile.jsp [original]
2. www.example.com/arbitrary_page.jsp
3. [no referrer]
4. www.attacker.com/www.example.com/profile.jsp

If you find a redirector on the site, you can use [2].
If the request is allowed with no REFERER, the attack site can be
hosted on HTTPS since HTTPS->HTTP won't send the REFERER [3].
Create a new folder on the attack site with the URL of the victim site.

If the referrer checking is strict [1], then the attack might now be
as easy. Either way, vuln is still vuln.

Phil

On Mar 2, 2012, at 10:43 AM, Tim <tim-security () sentinelchicken org> wrote:



Hello,



Suppose there is a reflect XSS vulnerability in a pop SNS, but this
site is "concerned" about security, so they check the referer field of
certain POST request to make sure that they are normal and correct. Is
it possible for me to bypass this check within javascript? It seems
that I can't set this parameter like this:

xmlHttp.setRequestHeader("Referer","http://expected.target";);

It would be appreciated if someone can give me a clue.



I'm always interested to see what the community's response is to this
question.  It comes up relatively frequently in the context of CSRF
(since this kind of checking can mitigate CSRF).  Often most people
are skeptical that this kind of checking is sufficient to prevent CSRF
and reflected XSS, but in recent times, I am not aware of a way around
it in the general case.

Old versions of Flash do allow one to set Referer cross-domain, but it
is my impression this was fixed quite some time ago.  Various XHR API
vulnerabilities have also existed in the past to allow for injection
of restricted headers, like Referer, but these could be seen as
browser vulnerabilities.

Recently [1] it was pointed out how headers containing '-' can be
spoofed due to foolishness in CGI-compatible APIs that transliterate
header names, but Referer of course doesn't have a '-'.

Can anyone give an example of how one would get around Referer
checking?

tim


1. http://lists.webappsec.org/pipermail/websecurity_lists.webappsec.org/2012-January/008170.html

_______________________________________________
The Web Security Mailing List

WebSecurity RSS Feed
http://www.webappsec.org/rss/websecurity.rss

Join WASC on LinkedIn http://www.linkedin.com/e/gis/83336/4B20E4374DBA

WASC on Twitter
http://twitter.com/wascupdates

websecurity () lists webappsec org
http://lists.webappsec.org/mailman/listinfo/websecurity_lists.webappsec.org


_______________________________________________
The Web Security Mailing List

WebSecurity RSS Feed
http://www.webappsec.org/rss/websecurity.rss

Join WASC on LinkedIn http://www.linkedin.com/e/gis/83336/4B20E4374DBA

WASC on Twitter
http://twitter.com/wascupdates

websecurity () lists webappsec org
http://lists.webappsec.org/mailman/listinfo/websecurity_lists.webappsec.org



-- 
...oOOo...oOOo....
Stefano Di Paola
Software & Security Engineer

Owasp Italy R&D Director

Web: www.wisec.it
Twitter: http://twitter.com/WisecWisec
..................




This list is sponsored by Cenzic
--------------------------------------
Let Us Hack You. Before Hackers Do!
It's Finally Here - The Cenzic Website HealthCheck. FREE.
Request Yours Now! 
http://www.cenzic.com/2009HClaunch_Securityfocus
--------------------------------------
Previous By Date Next
Previous By Thread Next

Current thread: