WebApp Sec mailing list archives
Re: HTTP REFERER not set in Internet Explorer
From: "Amit Klein (AKsecurity)" <aksecurity () hotpop com>
Date: Thu, 17 Nov 2005 08:11:34 +0200
On 16 Nov 2005 at 8:16, Saqib Ali wrote:
Hello, I am writing a secure application that tracks users on a website by use of HTTP_REFERER. But see like Internet Explorer is not properly populating this field. Visit the following website using IE and Firefox. http://www.xml-dev.com/blog/referer_test.php And click on the Link that says "Click Here" With Firefox, the correct HTTP_REFERER will be displayed after you click the link. But with I.E. the HTTP_REFERER is set to blank. Has anyone ran into this issue?
I ran into similar issues - IE doesn't send the Referer when you use JS in a "raw" way. How did you make your application
compatible with both I.E and Mozilla based browsers?
You could try to do it via JS in a more "user-like" way, such as to create a anchor tag and simulate a click via JS code. If I remember correctly, this should produce a Referer in IE.
Because of some security concerns I need the HTTP_REFERER to be set correctly.
I'm sure you're aware of the fact that a Referer can be easily spoofed using any non- browser HTTP tool. Moreover, even if a victim uses a standard browser, an attacker may be able to force the browser (IE) to emit a spoofed Referer header in some cases, see my writeup "Exploiting the XmlHttpRequest object in IE - Referrer spoofing, and a lot more..." at http://www.securityfocus.com/archive/1/411585 -Amit
Current thread:
- HTTP REFERER not set in Internet Explorer Saqib Ali (Nov 16)
- Re: HTTP REFERER not set in Internet Explorer Marc Koschewski (Nov 17)
- Re: HTTP REFERER not set in Internet Explorer Tobias Schlitt (Nov 17)
- Re: HTTP REFERER not set in Internet Explorer Amit Klein (AKsecurity) (Nov 17)
- Re: HTTP REFERER not set in Internet Explorer Jonathan Angliss (Nov 17)
- Re: HTTP REFERER not set in Internet Explorer George Johnson (Nov 17)
- Re: HTTP REFERER not set in Internet Explorer Chris Varenhorst (Nov 17)
- Re: HTTP REFERER not set in Internet Explorer Todd Hendricks (Nov 17)
- Re: HTTP REFERER not set in Internet Explorer Dean H. Saxe (Nov 17)
- Re: HTTP REFERER not set in Internet Explorer Greg Skouby (Nov 17)
- RE: HTTP REFERER not set in Internet Explorer Richard M. Smith (Nov 17)
- Re: HTTP REFERER not set in Internet Explorer Oleg Lecinski (Nov 17)
- <Possible follow-ups>
- RE: HTTP REFERER not set in Internet Explorer Amichai Shulman (Nov 17)
- RE: HTTP REFERER not set in Internet Explorer Jeff Robertson (Nov 17)
(Thread continues...)
- Re: HTTP REFERER not set in Internet Explorer Marc Koschewski (Nov 17)