Cenzic 232 Patent
Paid Advertising
sla.ckers.org is
ha.ckers sla.cking
Sla.ckers.org
Q and A on cross site request forgeries and breaking into sessions. It's one of the attacks that XSS enables and the attack of the future. For Session, fixations, hijacking, lockout, replay, session riding etc.... 
Go to Topic: PreviousNext
Go to: Forum ListMessage ListNew TopicSearchLog In
Any way to send POST request without referrer?
Posted by: trev
Date: February 15, 2008 01:46PM

I investigated CSRF in the web interface of a particular router. It appeared to be totally unprotected so I reported the issue - and got a response that this issue was fixed a year ago. Now I investigated further and got very interesting facts. Apparently, CSRF from the local network is a feature! So the web interface will accept any POST requests where the domain name from the Referer header resolves to a local address or doesn't resolve at all. And it will really send a DNS request to check!

Now that definitely isn't a good protection. I verified that it is vulnerable to DNS rebinding (the browser gets the real IP address of the attacking website but when the router attempts DNS resolution later it gets 127.0.0.1). But it would be interesting whether it is possible with something simpler - maybe drop the Referer header somehow. Meta refresh doesn't work because the web interface will only accept a POST request. Maybe Flash or something similar?

Options: ReplyQuote
Re: Any way to send POST request without referrer?
Posted by: collinj
Date: February 16, 2008 02:23PM

trev Wrote:
> But it would
> be interesting whether it is possible with
> something simpler - maybe drop the Referer header
> somehow. Meta refresh doesn't work because the web
> interface will only accept a POST request. Maybe
> Flash or something similar?

Here's some sample code that will make a POST request without a Referer header:

<script>
location = "javascript:' \
<html><body onload=\"document.forms[0].submit()\"> \
<form id=f action=http://www.example.com method=POST> \
<input name=whatever value=whatever> \
</form> \
</body></html>'";
</script>


-- Collin Jackson

Options: ReplyQuote
Re: Any way to send POST request without referrer?
Posted by: trev
Date: February 16, 2008 03:04PM

Interesting approach - and works flawlessly! Thanks a lot.

Options: ReplyQuote
Re: Any way to send POST request without referrer?
Posted by: matteo
Date: February 24, 2008 05:12PM

collinj, very devil approch ;)

Works well on Firefox 2, Opera 9 and IE 6.
In IE 7 doesn't works, IE pass the referer to page where form post data.

Nice work,
Bye

Options: ReplyQuote


Sorry, only registered users may post in this forum.