{"id":167,"date":"2009-05-07T16:46:37","date_gmt":"2009-05-07T21:46:37","guid":{"rendered":"http:\/\/osric.com\/chris\/accidental-developer\/?p=167"},"modified":"2010-10-05T17:40:18","modified_gmt":"2010-10-05T22:40:18","slug":"validating-the-referer","status":"publish","type":"post","link":"https:\/\/osric.com\/chris\/accidental-developer\/2009\/05\/validating-the-referer\/","title":{"rendered":"Validating the Referer: Not as Useless as I Thought?"},"content":{"rendered":"<p>I used to validate the HTTP referer header to verify that users were accessing certain pages from certain other pages. For example, users accessing <code>sampleapp\/edit.cfm<\/code> should be getting there from <code>sampleapp\/index.cfm<\/code>. Anyone accessing <code>sampleapp\/edit.cfm<\/code> without coming from <code>sampleapp\/index.cfm<\/code> was probably monkeying around and should be send back to the index page, or possibly even logged out.<\/p>\n<p>However, it is fairly trivial to modify your referer header, so anyone who wants to monkey around with <code>sampleapp\/edit.cfm<\/code> can make it look like they are coming from <code>sampleapp\/index.cfm<\/code>. (If you&#8217;re interested in modifying your HTTP headers, I suggest checking out the <a href=\"https:\/\/addons.mozilla.org\/en-US\/firefox\/addon\/966\">Tamper Data<\/a> Firefox plugin.) The check provides absolutely no assurance that the user is really coming from the page. Therefore, I decided the check was useless.<\/p>\n<p>I&#8217;ve been attending a weekly web application security study group with some of my colleagues for the past several weeks, where we&#8217;ve been reading and discussing <a href=\"http:\/\/portswigger.net\/wahh\/\">The Web Application Hacker&#8217;s Handbook<\/a>. The past couple sessions have been about cross-site scripting (XSS). <a href=\"http:\/\/www.madirish.net\/\">Justin Klein Keane<\/a> brought up a good point at today&#8217;s session: checking the referer may not keep a malicious user from altering his or her referer string, but could help identify victims of XSS attacks who were possibly directed to submit malicious data from a third-party site.<\/p>\n<p>Checking the referer isn&#8217;t a sufficient protection against malicious users, by any means, but it could still be helpful. What do you think?<\/p>\n","protected":false},"excerpt":{"rendered":"<p>I used to validate the HTTP referer header to verify that users were accessing certain pages from certain other pages. For example, users accessing sampleapp\/edit.cfm should be getting there from sampleapp\/index.cfm. Anyone accessing sampleapp\/edit.cfm without coming from sampleapp\/index.cfm was probably monkeying around and should be send back to the index page, or possibly even logged &hellip; <a href=\"https:\/\/osric.com\/chris\/accidental-developer\/2009\/05\/validating-the-referer\/\" class=\"more-link\">Continue reading <span class=\"screen-reader-text\">Validating the Referer: Not as Useless as I Thought?<\/span><\/a><\/p>\n","protected":false},"author":2,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[10,48],"tags":[140,71,356,141,72],"class_list":["post-167","post","type-post","status-publish","format-standard","hentry","category-best-practices","category-security","tag-csrf","tag-referer","tag-security","tag-xsrf","tag-xss"],"_links":{"self":[{"href":"https:\/\/osric.com\/chris\/accidental-developer\/wp-json\/wp\/v2\/posts\/167","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/osric.com\/chris\/accidental-developer\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/osric.com\/chris\/accidental-developer\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/osric.com\/chris\/accidental-developer\/wp-json\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/osric.com\/chris\/accidental-developer\/wp-json\/wp\/v2\/comments?post=167"}],"version-history":[{"count":7,"href":"https:\/\/osric.com\/chris\/accidental-developer\/wp-json\/wp\/v2\/posts\/167\/revisions"}],"predecessor-version":[{"id":288,"href":"https:\/\/osric.com\/chris\/accidental-developer\/wp-json\/wp\/v2\/posts\/167\/revisions\/288"}],"wp:attachment":[{"href":"https:\/\/osric.com\/chris\/accidental-developer\/wp-json\/wp\/v2\/media?parent=167"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/osric.com\/chris\/accidental-developer\/wp-json\/wp\/v2\/categories?post=167"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/osric.com\/chris\/accidental-developer\/wp-json\/wp\/v2\/tags?post=167"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}