Cenzic 232 Patent
Paid Advertising
sla.ckers.org is
ha.ckers sla.cking
Sla.ckers.org
Q and A on cross site request forgeries and breaking into sessions. It's one of the attacks that XSS enables and the attack of the future. For Session, fixations, hijacking, lockout, replay, session riding etc.... 
Go to Topic: PreviousNext
Go to: Forum ListMessage ListNew TopicSearchLog In
forging subdomain referer headers
Posted by: Albino
Date: April 10, 2011 01:49PM

Does anyone know a way of forging a Referer subdomain A to subdomain B post?

I've found a site, let's call it asd.example.com where requests are blocked if the Referer header doesn't start with https://asd.example.com . However, I have XSS on anothersubdomain.example.com

Even a modern-ish flash-based solution would be better than nothing. asd.example.com has no crossdomain.xml, however.

edit/^updated info



Edited 1 time(s). Last edit at 04/10/2011 02:31PM by Albino.

Options: ReplyQuote
Re: forging subdomain referer headers
Posted by: lightos
Date: April 10, 2011 05:58PM

The XML HTTP Request Object should do the trick!

Options: ReplyQuote
Re: forging subdomain referer headers
Posted by: Albino
Date: April 10, 2011 09:12PM

It doesn't seem like you can forge referer headers with xml http request in firefox >2.0, and it's banned in the spec: http://www.w3.org/TR/XMLHttpRequest/#the-setrequestheader-method

Does it work in any browsers?

Options: ReplyQuote
Re: forging subdomain referer headers
Posted by: lightos
Date: April 11, 2011 04:18AM

I guess flash or Java would have to do, unless someone knows of another way.

Options: ReplyQuote
Re: forging subdomain referer headers
Posted by: Albino
Date: April 11, 2011 09:29PM

It doesn't look like even Java or Flash can do this. I'll have to try and bypass the check itself somehow. The code is at

https://github.com/django/django/blob/master/django/middleware/csrf.py#L118

in case anyone is interested. (I can bypass the token defence already)

Options: ReplyQuote
Re: forging subdomain referer headers
Posted by: barbarianbob
Date: April 12, 2011 12:08AM

Can you send http_x_* headers with just js?

[docs.djangoproject.com]



Edited 1 time(s). Last edit at 04/12/2011 12:09AM by barbarianbob.

Options: ReplyQuote
Re: forging subdomain referer headers
Posted by: lightos
Date: April 12, 2011 04:33AM

It seems to only enforce referer check with https. Is http an option?

Options: ReplyQuote
Re: forging subdomain referer headers
Posted by: Albino
Date: April 12, 2011 10:42AM

Posting the request to http:// just gets me a 301 Moved Permanently redirect :\

@barbarianbob you can send http_x_* headers cross-domain with Flash in slightly out of date browsers using [lists.webappsec.org]

I can sort of see how it could be useful for misleading django but I'm not sure precisely how you'd use it to bypass the referer check. Could you give an example header/referer that would work? I tried the obvious ones without success. We could get a bounty from mozilla if it works :)

Options: ReplyQuote
Re: forging subdomain referer headers
Posted by: barbarianbob
Date: April 12, 2011 12:03PM

I'm looking at lines 145,146 of csrf.py
good_referer = 'https://%s/' % request.get_host()
if not same_origin(referer, good_referer):

And from the link I posted, the value for HTTP_X_FORWARDED_HOST overrides the real host. So instead of spoofing your referer to match the host, trick the host into thinking it's the referer:
POST / HTTP/1.1
host: good.com
referer: evil.com
X_FORWARDED_HOST: evil.com


edit: or does this screw up the part of the script that finds which vhost to load?



Edited 2 time(s). Last edit at 04/12/2011 12:22PM by barbarianbob.

Options: ReplyQuote
Re: forging subdomain referer headers
Posted by: Albino
Date: April 12, 2011 01:39PM

That works! I've just filed it on bugzilla. PM me your email and I'll add you to the CC list, should get a bounty for it.

Options: ReplyQuote
Re: forging subdomain referer headers
Posted by: Albino
Date: June 08, 2011 10:03PM

Just to update, this got a $3000 bounty (split 50/50) :)

The links are currently restricted but:
Refer bypass; https://bugzilla.mozilla.org/show_bug.cgi?id=649354
Token bypass; https://bugzilla.mozilla.org/show_bug.cgi?id=648881



Edited 1 time(s). Last edit at 06/08/2011 10:04PM by Albino.

Options: ReplyQuote


Sorry, only registered users may post in this forum.