Solved

check the Referer HTTP header?

Posted on 2016-10-20
16
24 Views
Last Modified: 2016-10-21
I am trying to set up a good way of preventing CSRF attacks and have the token method in place. In a real world example I probably wouldn't use die, but I am still just working with this to try get it to work.

if($_SERVER['REQUEST_METHOD'] === 'POST'){
	if(!isset($_POST['csrf_token']) || ($_POST['csrf_token'] !== $_SESSION['csrf_token'])){
		die("Invalid CSRF token");
		
	} else {
		
		echo "token is valid";
	}
}


$_SESSION['csrf_token'] = bin2hex(openssl_random_pseudo_bytes(16));

Open in new window


Anyway, I read that another method to use together with the token method is checking the referrer http header. I have tried to search Google for a helpful answer but can't really find anything of use. So, how do I actually do this?
0
Comment
Question by:Black Sulfur
  • 6
  • 5
  • 5
16 Comments
 
LVL 82

Accepted Solution

by:
Dave Baldwin earned 250 total points
ID: 41852743
Like this:
// check referrer, if no referrer, exit because it is a direct post
if(isset($_SERVER['HTTP_REFERER'])) {
	$refchk = explode('?',$_SERVER['HTTP_REFERER']);
	if($refchk[0] != "https://www.yoursite.com/yourpage.php") exit;
	}
else exit;

Open in new window

0
 

Author Comment

by:Black Sulfur
ID: 41852750
How would that work if I typed a url directly into the browser? For example, there is no link to click on to get to my login page. I have to type in:

mysite.com/auth/login.php
0
 
LVL 108

Expert Comment

by:Ray Paseur
ID: 41852776
About CSRF: https://www.owasp.org/index.php/Cross-Site_Request_Forgery_(CSRF)
Wouldn't the code fail because there was no actual referer?
Probably the HTTP_REFERER would be empty.  Easy enough to test!

Here's the problem with using form tokens:  I can easily write a script that reads your web page, copies the token into the request variables and submits utterly bogus variables to your script.  If you believe the token, you're running the risk that such an attack could work.  For this reason, form tokens are useless as a security measure and provide a false sense of security.

There are a whole host of things you can do to tighten up form security.  OWASP keeps track of these.  It's a good organization, worth following and supporting.
0
 
LVL 82

Expert Comment

by:Dave Baldwin
ID: 41852778
How would that work if I typed a url directly into the browser
It doesn't work because there isn't a referrer, that is a 'direct' connection.  You only get a referrer if you click on a link in another page which is the referring page.  It may soon be only if it is an 'https' page and link.  The browser people are tightening security so that less and less is being revealed when a connection is made.
1
 
LVL 82

Expert Comment

by:Dave Baldwin
ID: 41852792
One other thing:  It is often pointed out that the 'referrer' can be spoofed.  While that may be possible, most spammers are too lazy to do it.  

If you know that your page should only be accessed from another specific page (like in a shopping cart), then you should check the 'referrer'.  If they can't get that right, then they shouldn't be there anyway.  

I had one page in a shopping cart I inherited where the referrer was not being checked.  One day I had 38,000 bogus entries added to my database.  That has never happened again after I added the referrer checking code.
0
 

Author Comment

by:Black Sulfur
ID: 41852797
This sounds great for if you have to click on a link to get somewhere, but for my page that can only be accessed by typing in the url? Would I just for that particular page not bother with the referrer check?
0
 
LVL 108

Expert Comment

by:Ray Paseur
ID: 41852808
Not to put too fine a point on it, but the HTTP_REFERER is set by the client browser, and therefore it can be spoofed, for example, by cURL.  I used this technique recently to demonstrate a security hole in a law enforcement web site.  They had form tokens and referrer checks (using a ColdFusion server) and we were still able to access prisoner records.  

Security is a full-time four year college major at the University of Maryland.  In spite of all that brainpower, we're usually a few steps behind the bad guys.  So if your web application is likely to be a target, you will want several layers of security.
0
 
LVL 82

Expert Comment

by:Dave Baldwin
ID: 41852810
If you are typing it in (or clicking on a bookmark / favorite), there is no referrer so there is nothing to check for.  Unless you want to see the absence of the referrer.
0
Better Security Awareness With Threat Intelligence

See how one of the leading financial services organizations uses Recorded Future as part of a holistic threat intelligence program to promote security awareness and proactively and efficiently identify threats.

 
LVL 108

Expert Comment

by:Ray Paseur
ID: 41852812
for that particular page not bother with the referrer check?
Short answer: Any public page that can be accessed via a GET request does not need or benefit from a referrer check.  Maybe if you can tell us the nature of the intrusion you're trying to avoid we can offer some other ideas, too.
0
 

Author Comment

by:Black Sulfur
ID: 41852823
Okay, got it. I'm not trying to do anything in particular but learn how to properly prevent CSRF attacks should anyone attempt one, but am wondering if you need to try prevent CSRF attacks on every single form on your website (I am referring to my admin login page in this instance) or do you only need to worry about it when the form actually alters records in some way in the database i.e.: add/edit/delete record(s).

@ Ray: Also, if the token method isn't a good idea, I have seen some suggestions about renaming form fields with random names that change on every request. Is that any good?
0
 
LVL 108

Assisted Solution

by:Ray Paseur
Ray Paseur earned 250 total points
ID: 41852848
form fields with random names...
That's interesting, but conceptually no more of a barrier to attack than a form token.  Here's the sequence of events.

1. Client browser makes a GET request for a web page that has a form
2. Server responds with the form
3. Client browser displays the form
4. Human client fills in the form
5. Human client clicks "submit" button
6. Client browser makes a POST request to the action script that process form submission

Where an automated attack can take place is between step 2 and step 6.  If a bad guy decides your web application is worth targeting, it's computationally trivial to write a cURL script that will read the form input controls, fill them in with something, and make the POST request.

You may find some ideas about CAPTCHA to be useful.
https://www.experts-exchange.com/articles/9849/Making-CAPTCHA-Friendlier-with-Simple-Number-Tests-or-PHP-Image-Manipulation.html
0
 

Author Comment

by:Black Sulfur
ID: 41852849
In case anyone is interested, found this on Github by OWASP:

https://github.com/mebjas/CSRF-Protector-PHP/wiki/How-to-use

I stil want to know how to do it myself though :)

Anyway, I suppose that is for another question though as this one has actually been answered.

@Ray, in a previous answer you said I should wait like 24hrs or something before closing a question because other people in the world have different time zones and might only see the question tomorrow etc. So, would you say I should not close this out yet then?
0
 
LVL 108

Expert Comment

by:Ray Paseur
ID: 41852856
At this point, if you're satisfied with the answers, sure - go ahead and close it.  Also, because I know Dave Baldwin fairly well, I'm pretty sure you're getting to quality advice!
0
 
LVL 82

Expert Comment

by:Dave Baldwin
ID: 41852859
I use the referrer check on the 'action' page for forms along with HTTPS.  It doesn't hurt to make the form page HTTPS either.  And while you may be able to spoof it with curl, it will still keep out the vast majority of the spammers.  If you need better security, you need to do other checks in addition to the referrer.
1
 

Author Comment

by:Black Sulfur
ID: 41852867
Security is a full-time four year college major at the University of Maryland

Even if I could afford to go and had time, I doubt I will ever see the inside of a university since where I live they are burning universities down because they want free eduction. Makes total sense doesn't it? Okay, we grant you free education but you have nowhere to actually study because you burnt all the universities down?!

God save us all!
0
 

Author Comment

by:Black Sulfur
ID: 41853956
@ Ray,

Unless I don't understand properly (probably the case), OWASP does make mention of using the token method to prevent CSRF.

https://www.owasp.org/index.php/Cross-Site_Request_Forgery_(CSRF)_Prevention_Cheat_Sheet
0

Featured Post

How your wiki can always stay up-to-date

Quip doubles as a “living” wiki and a project management tool that evolves with your organization. As you finish projects in Quip, the work remains, easily accessible to all team members, new and old.
- Increase transparency
- Onboard new hires faster
- Access from mobile/offline

Join & Write a Comment

Foreword (July, 2015) Since I first wrote this article, years ago, a great many more people have begun using the internet.  They are coming online from every part of the globe, learning, reading, shopping and spending money at an ever-increasing ra…
Developers of all skill levels should learn to use current best practices when developing websites. However many developers, new and old, fall into the trap of using deprecated features because this is what so many tutorials and books tell them to u…
Learn how to match and substitute tagged data using PHP regular expressions. Demonstrated on Windows 7, but also applies to other operating systems. Demonstrated technique applies to PHP (all versions) and Firefox, but very similar techniques will w…
This tutorial will teach you the core code needed to finalize the addition of a watermark to your image. The viewer will use a small PHP class to learn and create a watermark.

758 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

19 Experts available now in Live!

Get 1:1 Help Now