Referrer-based access control
A referrer-based access control is a vulnerability found in web
applications that use the HTTP Referer header for enforcing access
control to sensitive data or functionality. Referrer-based access
control is a weak scheme for access control that can easily be
exploited to enable unauthorized access.
Attack Vector
The Referer is a HTTP header field that identifies the page from
which a request is submitted. A web application is susceptible to a
attack based on the referrer-based access control vulnerability if it
uses only the Referer header to enforce access control, i.e. it
allows users to access sensitive resources as long as they have a
valid Referer field. An attacker can easily forge a request to
sensitive pages or forms by supplying the correct Referer header.
Impact
Referrer-based access control can allow attackers to gain unauthorized access to sensitive data and functionality.
Attack Examples
Example 1
The ecommerce website shopping.com uses referrer-based access
control to enforce users' access to the /shipping page, such that
only users who were referred from the /payment page can access
it. Eve is currently on the /cart page, but decides to exploit the
vulnerability to bypass the payment process. She sends a HTTP request
to shopping.com/shipping, modifying the Referer header such that
it appears that she was referred from the /payment page, and have
already completed payment.
Example 2
Emboldened by her success in exploiting the vulnerability in the
shopping.com page, Eve attempts to use the same referrer-based
access control vulnerability to gain administrator control and suspend
the page of a rival businessperson, Bob. Access control to the/admin
page is strictly enforced by session cookies and CSRF tokens, but
access to subpages such as the /admin/suspend_seller is enforced
only by checking the Referer field. Alice forges a HTTP request to
shopping.com/admin/suspend_seller, setting the Referer field as
shopping.com/admin, allowing her to access the page despite not
having an administrator account.
Defenses
Access control to all sensitive pages and functionalities should
not be enforced by solely by checking the Referer header. Instead,
web applications should use proper session management, such as session
cookies with CSRF tokens, to validate user requests and ensure that
the user is authorized to access the resource.
Criteria for Demonstration
To demonstrate an exploit based on a referrer-based access control
vulnerability, provide a detailed explanation including the tools
(e.g. Burp Suite) and steps required to modify the Referer header to
send a forged request and gain unauthorized access to a restricted
page. **
Other resources
jloh4