Portal Home > Knowledgebase > Articles Database > fake referrers
fake referrers
| Posted by durangod, 08-03-2014, 02:44 PM |
| We all put rules in our scripts to keep people out of particular areas and part of those rules include checking the referrer as a piece of that security.
As i understand it, a perl script can fake the referrer and actually be written to show whatever referrer they choose to be to bypass that check.
I am doing some googling now, i would like to know how to do this so i can defend against it. There has to be something we can check from the server side to see if it is the actual referrer or a fake referrer.
Its getting to the point that you have to know all the different languages in order to run a site now days so we can guard against these morons.
Last edited by durangod; 08-03-2014 at 02:52 PM.
|
| Posted by zacharooni, 08-03-2014, 03:32 PM |
| No offense, but that's a horrible security implementation. Never trust anything sent in the referrer field, because it could also be PHP code, which will get logged, and will make it easier to perform RCE attacks by evaluating the access log. What you are most likely looking for is authentication, not filtering. For example, htpasswd authentication would work perfectly, that or a Session ID check. No session, no creds? Redirected or 401.
|
| Posted by durangod, 08-03-2014, 04:40 PM |
| no offense taken, some of my older sites that i took over have the referrer check as the first part, then they check session as well as other post data and such. And it checks session against the true session not a script session var, thats where some mess up, you have to check it against the true session from the server.
I agree it is never correct to rely on that as the only check, but as part of a larger solution.
Checking the referrer can work for the lowball soluton for the inexperienced attempt and filter them quickly. Its like a sticker on a house that says beware of dog, that right there will make most wannbe robbers go somewhere else. That is the only purpose for checking referrer first is as a initial filter only before going to other levels. The less time they spend on your site the better.
I have validation for JS if they try to put script in my forms they go to a not so nice page and cant use the back button. I also added the random error messages so they cant use the messages as a rule for like a dictionary attack because they are not static.
Some of the older scripts even the open source ones still show the session id in the url, and thats so dangerous. I am converting them as i get to them.
So there are other levels.
My original question still stands though, how it is done with perl so i can screen for that.
|
| Posted by zacharooni, 08-03-2014, 04:47 PM |
| It's pretty easy to do with LWP::Simple, just set the custom user-agent with the ->agent() method. You can't screen for that specifically, because it could be set to anything. Although, if they're not using the ->agent() method to customize their UA, you can screen for anything starting with libwww-perl/
|
| Posted by durangod, 08-03-2014, 05:37 PM |
| ok cool, that gives me a starting point for some research to make up some rules. thanks
|
| Posted by khunj, 08-04-2014, 02:18 AM |
| Besides the fact that you cannot trust the referrer header, you can block a lot of legitimate users/scripts which is, IMHO, much worse.
For instance, external cron jobs or payment gateways like Paypal IPN don't send any referrer (Paypal does not even have a User-Agent header) because it is not a mandatory field. Also, it can be missing for some specific reason, for instance, if the referring page was using HTTPS.
|
Add to Favourites 
Print this Article
Also Read
