referrer spoofing protection

Discussion in 'Computer Security' started by kops, May 30, 2007.

  1. kops

    kops Guest

    Is there any way I can protect my site from people using zspoof /
    supermegaspoof etc. to spoof the referrer header?

    Any help much appreciated,

    Thanks, Jon.
    kops, May 30, 2007
    #1
    1. Advertising

  2. kops

    Sebastian G. Guest

    kops wrote:

    > Is there any way I can protect my site from people using zspoof /
    > supermegaspoof etc. to spoof the referrer header?



    Beside that I never heared of this weird stuff (any normal person would use
    the refspoof extension for Mozilla, the referer form field in his download
    manager, or wget --referer=), the obvious answer is NO.

    From the view of your server, there's absolutely no difference between a
    normal HTTP request with the correct Referer field being set by the
    webbrowser due to actual reference, and a crafted field being set by anyone
    else with knowledge the intended reference.
    Sebastian G., May 30, 2007
    #2
    1. Advertising

  3. kops

    kops Guest

    "Sebastian G." <> wrote in message
    news:...
    > kops wrote:
    >
    >> Is there any way I can protect my site from people using zspoof /
    >> supermegaspoof etc. to spoof the referrer header?

    >
    >
    > Beside that I never heared of this weird stuff (any normal person would
    > use the refspoof extension for Mozilla, the referer form field in his
    > download manager, or wget --referer=), the obvious answer is NO.
    >
    > From the view of your server, there's absolutely no difference between a
    > normal HTTP request with the correct Referer field being set by the
    > webbrowser due to actual reference, and a crafted field being set by
    > anyone else with knowledge the intended reference.


    Hi Sebastian and thanks for the response. While it might be obvious to you,
    it isn't to me so please bear with me :)

    So from what I understand, the only way around this if I have a ring of
    sites would be to ask each user to authenticate seperately at each site
    rather than using the referral method?

    Thanks again,

    jon
    kops, May 30, 2007
    #3
  4. kops

    Sebastian G. Guest

    kops wrote:


    > So from what I understand, the only way around this if I have a ring of
    > sites would be to ask each user to authenticate seperately at each site
    > rather than using the referral method?


    I don't understand what you mean. Referrers are an open secret to anyone who
    has already been authenticated somewhere, and can be transferred freely
    among users. Passwords and any other kind of authentication are essentially
    the same, any user can post them publicly so other can gain access to the site.

    I think your problem is that your referrers are
    a) easily guessed
    b) not properly validated
    c) not valuable to any authenticated user
    Sebastian G., May 30, 2007
    #4
  5. "kops" <> (07-05-30 12:40:05):

    > Is there any way I can protect my site from people using zspoof /
    > supermegaspoof etc. to spoof the referrer header?


    Not through the Referrer field itself. You need to somehow encode the
    referring page URI into the request, and you need to do this properly.
    This means that all pages need to be dynamically generated, and all
    references in the pages need to be rewritten to include something like
    "ref=PAGE-ID" in the query string part.

    Technically that's easy to accomplish (e.g. using Apache's mod_perl),
    but it will only work around Referrer spoofing. It will not prevent the
    user from spoofing the `ref' query field itself, or just typing in the
    URL in question manually.

    Further beware of bookmarking or `URL pasting'. You will get wrong
    things logged. To overcome this, you could use POST instead of GET, but
    that's the wrong way to go, because POST is not intended to be used for
    such purposes. And it would only work in forms, which is bad, too.

    If you place such an importantance into the knowledge of the Referrer,
    then you have to force every user to register and login, and use
    cryptographical methods. I cannot imagine any scenario, where such an
    overkill is necessary.

    By the way, both methods I presented here are intra-site methods. They
    will not work for inter-site references, unless the remote site
    implements the same scheme.

    In other words, don't rely on the Referrer at all. Live with the fact
    that it can be spoofed, because you can't prevent it reliably. For
    things like ad-click counters, encode the corresponding information in
    the URI, but don't rely on Referrers or home-grown techniques.


    Regards,
    Ertugrul Söylemez.


    --
    Security is the one concept, which makes things in your life stay as
    they are. Otto is a man, who is afraid of changes in his life; so
    naturally he does not employ security.
    Ertugrul Soeylemez, May 30, 2007
    #5
  6. kops

    kops Guest

    Thank you both for your help :)
    kops, May 31, 2007
    #6
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. Carmen Gauvin-O'Donnell

    Spoofing vulnerability?

    Carmen Gauvin-O'Donnell, Feb 8, 2005, in forum: Firefox
    Replies:
    12
    Views:
    897
    Ed Mullen
    Feb 14, 2005
  2. Mark

    Cisco router spoofing?

    Mark, Jul 17, 2003, in forum: Cisco
    Replies:
    6
    Views:
    4,045
  3. hari
    Replies:
    0
    Views:
    675
  4. Truncat

    Stopping the server from logging the referrer

    Truncat, Jul 31, 2006, in forum: Computer Security
    Replies:
    2
    Views:
    456
    Truncat
    Aug 1, 2006
  5. UBB error - referrer blocked ?

    , May 4, 2007, in forum: Computer Support
    Replies:
    4
    Views:
    982
Loading...

Share This Page