Referrer-based access control

A referrer-based access control is a vulnerability found in web applications that use the HTTP Referer header for enforcing access control to sensitive data or functionality. Referrer-based access control is a weak scheme for access control that can easily be exploited to enable unauthorized access.

Attack Vector

The Referer is a HTTP header field that identifies the page from which a request is submitted. A web application is susceptible to a attack based on the referrer-based access control vulnerability if it uses only the Referer header to enforce access control, i.e. it allows users to access sensitive resources as long as they have a valid Referer field. An attacker can easily forge a request to sensitive pages or forms by supplying the correct Referer header.

Impact

Referrer-based access control can allow attackers to gain unauthorized access to sensitive data and functionality.

Attack Examples

Example 1

The ecommerce website shopping.com uses referrer-based access control to enforce users' access to the /shipping page, such that only users who were referred from the /payment page can access it. Eve is currently on the /cart page, but decides to exploit the vulnerability to bypass the payment process. She sends a HTTP request to shopping.com/shipping, modifying the Referer header such that it appears that she was referred from the /payment page, and have already completed payment.

Example 2

Emboldened by her success in exploiting the vulnerability in the shopping.com page, Eve attempts to use the same referrer-based access control vulnerability to gain administrator control and suspend the page of a rival businessperson, Bob. Access control to the/admin page is strictly enforced by session cookies and CSRF tokens, but access to subpages such as the /admin/suspend_seller is enforced only by checking the Referer field. Alice forges a HTTP request to shopping.com/admin/suspend_seller, setting the Referer field as shopping.com/admin, allowing her to access the page despite not having an administrator account.

Defenses

Access control to all sensitive pages and functionalities should not be enforced by solely by checking the Referer header. Instead, web applications should use proper session management, such as session cookies with CSRF tokens, to validate user requests and ensure that the user is authorized to access the resource.

Criteria for Demonstration

To demonstrate an exploit based on a referrer-based access control vulnerability, provide a detailed explanation including the tools (e.g. Burp Suite) and steps required to modify the Referer header to send a forged request and gain unauthorized access to a restricted page.


Other resources


jloh4