Playing With Referer & Origin

(´Ø·¸¤Î¤¢¤ë: CSRF afterparty & MUST READ »ÙÇÛ¤¹¤ës )

If you read owasp you should know that Referer has never been a good Êݸî. If »ÈÍÑ¼Ô Éþ½¾¤µ¤»¤ë¡¿Äó½Ð¤¹¤ës form from https:// URL than referer header is omitted ͽÄê to °ÂÁ´ ¿äÏÀ¤¹¤ë¡¿Íýͳs - it's known fact. But having https page is a big ¼è°ú¡¤¶¨Äê for hacker - very uncomfortable for Â絬ÌÏ¤Ê attacks(®¤¯ banned/Êó¹ð¡Ê¤¹¤ë¡Ë¡¿²±Â¬d, expensive ¾ÚÌÀ½ñs).

I ÀßΩ¤¹¤ë a way(in fact two ways) to omit this header from any page - it is the trick with about:blank.

theory:

•  Referer is very popular header for filtering ³°Éô¤Î(hot linked <img>s) requests on image hostings.
  Using the trick µö¤¹s you to embed any ³°Éô¤Î »ñ¸» not ¸ºß ¶¼¤¹d to be banned or noticed ͽÄê to Referer header. PROTIP: use modern "seamless" ¤»¤¤¤Ë¤¹¤ë in iframe in embed iframes seamlessly :D
• Referer is omitted in some weird browsers or if »ÈÍÑ¼Ô customizes his ¡ÊÊÛ¸î»Î¤Î¡Ë°ÍÍê¿Í this way. It really happens. This is why ǧ²Ä¤¹¤ëing request if referer is empty(I mean not sent) is a good practice(you can google it 1 2). Websites do this because they don't want to lose sort of ~1 ¥Ñ¡¼¥»¥ó¥È of traffic.
  The trick turns 1% -> 100%. 1% can be pwned because it is their problem(omitting referer). If 100% is pwned - it is a ÊúÍʤ¹¤ë vuln.
• Origin is a modern °ÂÁ´¤Ê¡¦Êݾڤ¹¤ë Âå°Æ¡¿ÁªÂò»è for Referer - because it ´Þ¤à¡¿Éõ¤¸¹þ¤á¤ës only domain path(https://domain.com/) and is sent from https pages.
  Still not supported by some "browsers"(e.g. IE 8) but anyways, it is kinda °ÂÁ´¤Ê¡¦Êݾڤ¹¤ë header to Ω¾Ú¤¹¤ë(CORS ²Ê³Ø¡Ê¹©³Ø¡Ëµ»½Ñ is based on Origin). 

TRICK 1

<iframe src="javascript:CODE"></iframe>
¿ë¹Ô¤¹¤ë¡¿È¯¸ú¤µ¤»¤ëing any code in ¾õ¶· of about:blank(it is default URL for src). CODE is a script that À¸À®¤¹¤ës(ʸ½ñ.Îá¾õ) the form and than Éþ½¾¤µ¤»¤ë¡¿Äó½Ð¤¹¤ës it(ʸ½ñ.forms[0].Éþ½¾¤µ¤»¤ë¡¿Äó½Ð¤¹¤ë())
It sends empty Referer but Origin is still proper(I guess they special-»öÎã¡¿´µ¼Ôd this trick inside of Webkit)

TRICK 2

ʸ½ñ.Îá¾õ('<iframe src=\'data:text/html,<form method=ÃÏ°Ì¡¤Ç¤Ì¿¤¹¤ë ³èÆ°¡¿ÀïÆ®="PATH"></form><script>ʸ½ñ.forms[0].Éþ½¾¤µ¤»¤ë¡¿Äó½Ð¤¹¤ë()</script>\'></iframe>')
Putting HTML code in ¾õ¶· of weird about:blank with µÄÄê½ñ == "data". This trick is cooler because it doesn't Í׵᤹¤ë JS and sends POSTs with empty Referer and Origin: null. But I wonder why it ºîÉÊ in Webkit?! O_o:
(from http://msdn.microsoft.com/en-us/library/cc848897(v=vs.85).aspx)
For °ÂÁ´ ¿äÏÀ¤¹¤ë¡¿Íýͳs, data URIs are À©¸Â¤¹¤ëd to downloaded »ñ¸»s. Data URIs cannot be used for ¹Ò³¤, for scripting, or to µï½»¤µ¤»¤ë ¤Ç¤Ã¤Á¤¢¤²¤ë¡¤¿Í¤òºá¤Ë´Ù¤ì¤ë or iframe elements.

And now for something ´°Á´¤Ë different! Showcases!

disqus.com - they Í׵᤹¤ë referer equal disqus.com OR empty one. Good example(commenting on ¤ËÂå¤ï¤Ã¤Æ of your account) - ¿ë¹Ô¤¹¤ë¡¿È¯¸ú¤µ¤»¤ë the code to ÃÏ°Ì¡¤Ç¤Ì¿¤¹¤ë comment there.
ʸ½ñ.Îá¾õ('<iframe src=\'data:text/html,<form method=ÃÏ°Ì¡¤Ç¤Ì¿¤¹¤ë ³èÆ°¡¿ÀïÆ®="http://jwo.disqus.com/thread/the_one_with_html5_videos_using_zencoder_for_videojscom_jwo/post_create/"><input »Ø̾¤¹¤ë=message value="Good article, JSON FTW"></form><script>ʸ½ñ.forms[0].Éþ½¾¤µ¤»¤ë¡¿Äó½Ð¤¹¤ë()</script>\'></iframe>')



yfrog.com - they had an awful CSRF ·ê¤ò³«¤±¤ë a month ago. Than I Êó¹ð¡Ê¤¹¤ë¡Ë¡¿²±Â¬d it; 3 times; And got no ÊÖÅú. They ľ¤¹¡¿Çã¼ý¤¹¤ë¡¤È¬É´Ä¹¤ò¤¹¤ëd it by Ω¾Ú¤¹¤ëing referer is equal "yfrog.com"(losing ~1% of »ÈÍѼÔs). Doing 5 minutes brainstorm I ÀßΩ¤¹¤ë a ºï¸º¡Ê¤¹¤ë¡Ë thing over the new Êݸî - they ¼õÂ÷¤¹¤ë GET(it is a nice showcase for GET Accessible ³èÆ°¡¿ÀïÆ®s problem).

In general, all you need is to ÃÏ°Ì¡¤Ç¤Ì¿¤¹¤ë on your ʽ¤Ç°Ï¤à (/profile/HACKERACCOUNT) Îà»÷¤Î code:

<img src=/message/ÃÏ°Ì¡¤Ç¤Ì¿¤¹¤ë.json?message=SPAM_MESSAGE>
<img src=/follow.json?»ÈÍѼÔ=HACKER_TO_FOLLOW>

Than, just ´Þ¤à your ÍÑ°Õ¤¬½ÐÍè¤Æ¤¤¤ë yfrog profile with <iframe src=http://yfrog.com/profile/HACKERACCOUNT></iframe> anywhere - than img-requests will be sent from yfrog.com with yfrog's referer but they are still malicious. Voila :)

UPDATE: http://code.google.com/p/chromium/ÌäÂ꡿ȯ¹Ô¤¹¤ës/¾ÜºÙ¡Ê¤Ë½Ò¤Ù¤ë¡Ë?id=125319

@homakov - There really is nothing to ľ¤¹¡¿Çã¼ý¤¹¤ë¡¤È¬É´Ä¹¤ò¤¹¤ë on that Á°Àþ. A web app is fundamentally broken if it ¿®ÍÑs the absence of the referer header to ¼¨¤¹ a request is not a CSRF. It's an inherently ´í¸±¤Ê ²¾Äê¡¿°ú¤­¼õ¤±¤ë¤³¤È.

Period. DO not rely on empty referer anyhow. It is ´í¸±¤Ê and those tricks are legit. Anyway, it's still pretty useful to use hot-linked images sending empty referer :)

Thanks for reading.