Want to protect your cyber security and still get fast solutions? Ask a secure question today.Go Premium

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 729
  • Last Modified:

Need to spoof HTTP_REFERER via a link from an asp page

I have a need to have a link to another site, however I do not want that site to know I am refering traffic to them.  My site is based on native .asp pages, I have looked and the only way I have seen to really do this is based on an article I found here on EE; (http://www.experts-exchange.com/Programming/Programming_Languages/Java/Q_21793985.html).  But it was not detailed enough, it appears to be in Java but it does not give a complete example.

Ideally here is what I want to happen is;
* Create a clickable Link from from my server using an asp page with 1 dynamic vairable
* Open the link in a new window when clicked
* Mask or remove the HTTP_REFERER (Webiste1 (origin) Website2 (desitnation) I do not want Website2 know that the user came from Website1)
* reusable for several different links on the same page (ie the dymanic variable will change several times in a for/next type loop on the .asp page)
* Not using .NET, only traditional .asp

Here is the way I do it now but it does not spoof the referer (the "#" is to hide the URL from the user, not a requirement, just a bonus);
<a href="#" onClick="window.open('http://www.somesite.com/testing/topic.asp?SID=<%=Cstr(fp_rs("Topic"))%','_blank','width=750,height=420,resizable=1,scrollbars=1')">Link me</a>

What I need is a real world example of the whole working solution.  I am not opposed to using Java or cgi, just need something that 'integrates' well with .asp.
0
jloberg
Asked:
jloberg
1 Solution
 
kevp75Commented:
unless you can get your server to forgo the referrer header you may be sol, as it cannot be done with any code.

i am unsure how do this with IIS, but I am sure it is possible if your host uses Apache
0
 
jlobergAuthor Commented:
We are on IIS...  If there are any other ideas please chime in!!

Thanks all!
Jerry
0
 
jlobergAuthor Commented:
Here is another link that maybe helpful IF this is possible.  This was done in .NET, but I do not know of a way to do it via .asp.  If someone can find a way to send a link from .asp to .NET and have the .NET do what is needed I am not opposed to that process either.  I am willing to do what ever is needed even if it requires some extra steps on the server side.  Just not willing to make the users do anything extra.

http://www.developerfusion.co.uk/show/4672/
0
What does it mean to be "Always On"?

Is your cloud always on? With an Always On cloud you won't have to worry about downtime for maintenance or software application code updates, ensuring that your bottom line isn't affected.

 
yourbudweiserCommented:
found this on a another site, credit to original poster:

http://www.developerfusion.co.uk/show/4672/

I noticed the article the other day on your website about "Spoofing the Referer During a Web Request" Immediately after reading it I was wondering if you can do this using ASP.NET, the answer is a resounding "YES, of course!". This works because the http standards allow the client to actually dictate the HTTP_Referer variable.

Here is the code:

 Function FetchURL(SomeURL as String, Referer As String) as String
    Dim WebResp as HTTPWebResponse
    Dim HTTPGetRequest as HttpWebRequest
    Dim sr As StreamReader
    dim myString as String
    HTTPGetRequest = DirectCast(WebRequest.Create(SomeURL),HttpWebRequest)
    HTTPGetRequest.KeepAlive = false
    HTTPGetRequest.Referer = Referer
    WebResp = HTTPGetRequest.GetResponse()
    sr = new StreamReader(WebResp.GetResponseStream(), Encoding.ASCII)
    myString = sr.ReadToEnd()
    Return myString
End Function

You can then call this using the following:
Dim PageString As String
PageString = FetchURL("http://www.google.com/","http://www.microsoft.com")
0
 
jlobergAuthor Commented:
Problem I am running into is that the page that has the link on it (the one I need to spoof) is a classic ASP page, the code above is ASP.NET.  I would need to find a way to transfer data to the ASP.NET page and then have the ASP.NET page spoof and redirect.  If anyone can help do that it would work.
Jerry
0
 
kevp75Commented:
please see this link:
http://www.w3schools.com/asp/met_addheader.asp

you may be able to do
<%Response.AddHeader "HTTP_REFERRER","http://www.thesite.com"%>
0
 
tvtimesCommented:
Not sure if this will help but here is a way to link anonymously (remove) - Can't rename who your referer is but you can 'remove' it.  It can be done via a cgi script found here;
http://watson-net.com/download/download.asp?name=Redirector&file=redir.zip

And then test the syntax based on the following to a site that verifies if you are 'refered';

<a href="http://www.inet-police.com/cgi-bin/env.cgi"> Traditional Link</a>

<a href="/cgi-bin/redir.pl?url=http://www.inet-police.com/cgi-bin/env.cgi">Anonymous Link</a>

Because it is a standard "a href", you should be able to use the window.open command to open the link in a new window and imbed the asp.  Using your example above here would be your new code if you saved the redire.pl file in the /cgi-bin;
<a href="#" onClick="window.open('/cgi-bin/redir.pl?url=http://www.somesite.com/testing/topic.asp?SID=<%=Cstr(fp_rs("Topic"))%','_blank','width=750,height=420,resizable=1,scrollbars=1')">Link me</a>

Good Luck and hope this meets enough of your requirements and that you have CGI on your machine.
0
 
jlobergAuthor Commented:
kevp75 - I tried your proposed ideas...  The first there is a comment on w3schools that says the name can not contain underscores.  So that will not work for an HTTP_REFERER statement.  Great idea if the underscores worked....  The second, when I tested it it still showed the website the link came from as the referer...

tvtimes - Fortunately I am able to run cgi-scripts (had to test it first) with my web host.  It seems to work, the referer is not showing after I click on the link, so it appears to 'remove' the referer.  Even though I never thought about using CGI this does solve my problem and it works with classic .asp.

Thanks all.
Jerry
0

Featured Post

Concerto's Cloud Advisory Services

Want to avoid the missteps to gaining all the benefits of the cloud? Learn more about the different assessment options from our Cloud Advisory team.

Tackle projects and never again get stuck behind a technical roadblock.
Join Now