2

I participate to a bug bounty program and try to find serious vulnerability to expose.

Firstly, I found that the company was not using CSRF token, instead of that, they use Referer to ensure the request is made from https://example.com.

Referer tend to be less secure than CSRF token, that's why I started to search for Open URL Vulnerability. After a few hours of search, I finally foud one. An input like https://m.example.com/?app=desktop&location=/admin?doSomeAction=stuff will result in the following Location header : Location:https://example.com/admin?doSomeAction=stuff.

Reading Wikipedia about Referer and https, I noticed the following line :

If a website is accessed from a HTTP Secure (HTTPS) connection and a link points to anywhere except another secure location, then the referrer field is not sent.

As I am being redirect to a secure location, why is the Referer header not send when accessing Location:https://example.com/admin?doSomeAction=stuff

Edit : Browser does not change Referer on Location redirection. I got confused due to this post : https://security.stackexchange.com/a/24404/110133. Now I wonder, if instead of Location, the page was sending content with <script>document.location="https://example.com/example.com/admin?doSomeAction=stuff"</script> would it change the referer ?

Community
  • 1
Xavier59
  • 2,884
  • 3
  • 17
  • 34

1 Answers1

2

Actually the HTTP referer is not a mandatory header. The client can decide to leave it blank, or to send false information. I noticed Google Chrome does not always send the referer, and when it comes to HTTP -> HTTPS links, nothing is send for the first few requests. My best guess would be to say that the browser makes sure all the requests have at least been requested once over HTTPS, before the referer are added. Other options from this post:

It will/may be empty when the end user:

  • entered the site URL in browser address bar itself.
  • visited the site by a browser-maintained bookmark.
  • visited the site as first page in the window/tab.
  • switched from a https URL to a http URL.
  • switched from a https URL to a different https URL. (Some browsers)
  • has security software installed (antivirus/firewall/etc) which strips the referrer from all requests.
  • is behind a proxy which strips the referrer from all requests.
  • visited the site programmatically (like, curl) without setting the referrer header (searchbots!).

Update on comment

Yes I would expect it to change. For a browser it doesn't matter who triggered the location, you, a script, or a plugin, but then again, read the above.

Community
  • 1
Yorick de Wid
  • 3,356
  • 15
  • 22
  • See my edit. This is in part due to "entered the site URL in browser address bar itself.". Howewer, I thought using an Open url vulnerability would fix the problem, as it visits the website a first time before sending the second request. In the case of `Location` header, it does not change the referer. – Xavier59 Sep 02 '16 at 12:51
  • I believe **switched from a https URL to a different https URL** is incorrect. The referrer will be available in that case. – John Blatz Sep 02 '16 at 13:09
  • @JohnBlatz When the browsers supports Meta Referrers this is the case. The assumption is HTTPS domains contain sensitive information, also in a URI. Therefore the browser can decide not to include the referer when switching domains. – Yorick de Wid Sep 02 '16 at 13:16