Cenzic 232 Patent
Paid Advertising
sla.ckers.org is
ha.ckers sla.cking
Sla.ckers.org
For any nonsense or banter that doesn't fit anywhere else. LoL! omg! ROFL! 
Go to Topic: PreviousNext
Go to: Forum ListMessage ListNew TopicSearchLog In
HTTP Referer
Posted by: bburg
Date: October 05, 2006 02:17PM

Does anyone know if there is a way to force the client's browser to strip its referer information? I know that you can do this with a META redirect, and possibly JavaScript, but what if these aren't an option? Thanks!

Options: ReplyQuote
Re: HTTP Referer
Posted by: WhiteAcid
Date: October 05, 2006 07:03PM

Well... using flash you can set it to a blank value, but this is IE only.
As an example, create a file called show_ref.php and make it contain:
<?= $_SERVER['HTTP_REFERER']; ?>
, then load http://www.whiteacid.org/misc/xss_headers.php?xss_target=http://127.0.0.1/show_ref.php&Referer= in IE and click the submit button, voila, you've loaded a page without a referer.

Don't forget our IRC: irc://irc.irchighway.net/#slackers
-WhiteAcid - your friendly, very lazy, web developer

Options: ReplyQuote
Re: HTTP Referer
Posted by: rsnake
Date: October 05, 2006 07:28PM

And if you do that, you are risking that his XSS doesn't use the XSS you built in that localhost function to know a lot more about whatever you have running on localhost. ;)

But WhiteAcid would NEVER do that. ;)

Anyway, to answer your question beyond those two methods there really isn't any good way other than some browsers just don't send referrers, if you have one of those you can trap them and make them do something else. But yah, those are the three good ways.

Options: ReplyQuote
Re: HTTP Referer
Posted by: WhiteAcid
Date: October 05, 2006 07:38PM

Quote

And if you do that, you are risking that his XSS doesn't use the XSS you built in that localhost function to know a lot more about whatever you have running on localhost. ;)
I'm sorry... I know it's 1:35am here, but that just makes no sense to me.

I had deliberately left the 127.0.0.1 bit in these, assuming he'd code that on his localhost. No way would I host a file like that on my site. Note that I do have one file vulnerable to XSS (deliberately so). It was made ages ago to teach some people the basics of XSS.

Don't forget our IRC: irc://irc.irchighway.net/#slackers
-WhiteAcid - your friendly, very lazy, web developer



Edited 1 time(s). Last edit at 10/05/2006 07:38PM by WhiteAcid.

Options: ReplyQuote
Re: HTTP Referer
Posted by: rsnake
Date: October 06, 2006 11:46AM

I was making a joke about him hosting XSS on his intranet so that your flash file might have some "extra" stuff in it so that you can start reading stuff from his intranet. It's just a joke - you need sleep.

- RSnake
Gotta love it. http://ha.ckers.org

Options: ReplyQuote
Re: HTTP Referer
Posted by: WhiteAcid
Date: October 06, 2006 12:13PM

oh. lol. hehehe.

Don't forget our IRC: irc://irc.irchighway.net/#slackers
-WhiteAcid - your friendly, very lazy, web developer

Options: ReplyQuote


Sorry, only registered users may post in this forum.