Referrer-based access control
A referrer-based access control is a vulnerability found in web applications that use the HTTP
Referer header for enforcing access control to sensitive data or functionality. Referrer-based access control is a weak scheme for access control that can easily be exploited to enable unauthorized access.
Referer is a HTTP header field that identifies the page from which a request is submitted. A web application is susceptible to a attack based on the referrer-based access control vulnerability if it uses only the
Referer header to enforce access control, i.e. it allows users to access sensitive resources as long as they have a valid
Referer field. An attacker can easily forge a request to sensitive pages or forms by supplying the correct
Referrer-based access control can allow attackers to gain unauthorized access to sensitive data and functionality.
The ecommerce website
shopping.com uses referrer-based access control to enforce users' access to the
/shipping page, such that only users who were referred from the
/payment page can access it. Eve is currently on the
/cart page, but decides to exploit the vulnerability to bypass the payment process. She sends a HTTP request to
shopping.com/shipping, modifying the
Referer header such that it appears that she was referred from the
/payment page, and have already completed payment.
Emboldened by her success in exploiting the vulnerability in the
shopping.com page, Eve attempts to use the same referrer-based access control vulnerability to gain administrator control and suspend the page of a rival businessperson, Bob. Access control to the
/admin page is strictly enforced by session cookies and CSRF tokens, but access to subpages such as the
/admin/suspend_seller is enforced only by checking the
Referer field. Alice forges a HTTP request to
shopping.com/admin/suspend_seller, setting the
Referer field as
shopping.com/admin, allowing her to access the page despite not having an administrator account.
Access control to all sensitive pages and functionalities should not be enforced by solely by checking the
Referer header. Instead, web applications should use proper session management, such as session cookies with CSRF tokens, to validate user requests and ensure that the user is authorized to access the resource.
Criteria for Demonstration
To demonstrate an exploit based on a referrer-based access control vulnerability, provide a detailed explanation including the tools (e.g. Burp Suite) and steps required to modify the
Referer header to send a forged request and gain unauthorized access to a restricted page.