Does anyone know a way of forging a Referer subdomain A to subdomain B post?

I've found a site, let's call it asd.example.com where requests are blocked if the Referer header doesn't start with https://asd.example.com . However, I have XSS on anothersubdomain.example.com

Even a modern-ish flash-based solution would be better than nothing. asd.example.com has no crossdomain.xml, however.

edit/^updated info



Edited 1 time(s). Last edit at 04/10/2011 02:31PM by Albino.

The XML HTTP Request Object should do the trick!

It doesn't seem like you can forge referer headers with xml http request in firefox >2.0, and it's banned in the spec: http://www.w3.org/TR/XMLHttpRequest/#the-setrequestheader-method

Does it work in any browsers?

I guess flash or Java would have to do, unless someone knows of another way.

It doesn't look like even Java or Flash can do this. I'll have to try and bypass the check itself somehow. The code is at

https://github.com/django/django/blob/master/django/middleware/csrf.py#L118

in case anyone is interested. (I can bypass the token defence already)

Can you send http_x_* headers with just js?

[docs.djangoproject.com]



Edited 1 time(s). Last edit at 04/12/2011 12:09AM by barbarianbob.

It seems to only enforce referer check with https. Is http an option?

Posting the request to http:// just gets me a 301 Moved Permanently redirect :\

@barbarianbob you can send http_x_* headers cross-domain with Flash in slightly out of date browsers using [lists.webappsec.org]

I can sort of see how it could be useful for misleading django but I'm not sure precisely how you'd use it to bypass the referer check. Could you give an example header/referer that would work? I tried the obvious ones without success. We could get a bounty from mozilla if it works :)

I'm looking at lines 145,146 of csrf.py

good_referer = 'https://%s/' % request.get_host()
if not same_origin(referer, good_referer):

And from the link I posted, the value for HTTP_X_FORWARDED_HOST overrides the real host. So instead of spoofing your referer to match the host, trick the host into thinking it's the referer:

POST / HTTP/1.1
host: good.com
referer: evil.com
X_FORWARDED_HOST: evil.com

edit: or does this screw up the part of the script that finds which vhost to load?



Edited 2 time(s). Last edit at 04/12/2011 12:22PM by barbarianbob.

That works! I've just filed it on bugzilla. PM me your email and I'll add you to the CC list, should get a bounty for it.

Just to update, this got a $3000 bounty (split 50/50) :)

The links are currently restricted but:
Refer bypass; https://bugzilla.mozilla.org/show_bug.cgi?id=649354
Token bypass; https://bugzilla.mozilla.org/show_bug.cgi?id=648881



Edited 1 time(s). Last edit at 06/08/2011 10:04PM by Albino.