Spoofing the HTTP_REFERER
Results 1 to 4 of 4

Thread: Spoofing the HTTP_REFERER

  1. #1
    Junior Member
    Join Date
    Nov 2001
    Location
    USA
    Posts
    14

    Spoofing the HTTP_REFERER

    Hello everyone!

    I'm working on a project for work and I need to spoof the HTTP_REFERER when posting a (client side) form from a web server.

    Sorry for asking a lame question! I've spent days reading articles (including here), looking through books, and scanning the internet for anything I could find on this and have come up almost empty handed.

    First, can this be done client side? Or should I try using Curl to pull this off?

    I'm currently trying to use header() but I keep getting:

    Warning: Cannot add header information - headers already sent by (output started at blah blah blah)

    I keep reading that it has to be done before any output is done, and before any 'whitespace' but no matter where I seem to put it, I get the same warning message!

    If it helps, I'm also using echo.

    I'm currently running Apache-AdvancedExtranetServer/1.3.20 (Mandrake Linux/3mdk) mod_ssl/2.8.4 OpenSSL/0.9.6b PHP/4.0.6.

    If someone would be kind enough to point me in the right direction, I'd appreciate it! :)

    Thanks!

    Dan

  2. #2
    Senior Member
    Join Date
    Mar 2001
    Posts
    636

    RE: Spoofing the HTTP_REFERER

    The header() and cookie commands must be used before any output - that includes anything outside of the php script too.

    Next bit, the HTTP_REFERER is sent by the user's browser.

  3. #3
    Senior Member
    Join Date
    Jun 2000
    Posts
    65,357

    RE: Spoofing the HTTP_REFERER

    damn damn damn - there MUST be some way to spoof the http-referer, ive wanted to use this many times (esp where it needs to customise depending on domain aliased use to access common webspace)

    so ur telling me there is no way to override it, and that i must make something live before i can test it? there MUST be some way!

  4. #4
    Senior Member
    Join Date
    Jun 2000
    Posts
    65,357

    RE: Spoofing the HTTP_REFERER

    Well of course there is a way to spoof a referer. How usefull it will be is something for you to decide :)

    Since the referer comes from the web browser client, we will need to create our own "PHP WWW Client"... Basically a proxy.

    Here is some code I've created that will spoof all the information that is there:

    <?php

    // Setup Information
    $host = "www.yoursite.com";
    $page = "/index.html";

    // Open the socket
    $fp = fsockopen($host,80,$errno,$errstr,30) or die("Could not establish a connection. $errstr($errno)");

    // Request the page
    fputs($fp,"GET $page HTTP/1.0\r\n");
    fputs($fp,"User-agent: PHP WWW Client\r\n");
    fputs($fp,"Referer: http://www.anothersite.net\r\n");
    fputs($fp,"\r\n");

    // Read response
    while (!feof($fp)) {
    $page .= fgets ($fp,128);
    }

    // Close Socket
    fclose($fp);

    ?>

    $page will now contain the HTML contents of the page you just recieved from the server.

    As for what you do with it next, that is up to you :) You will probably need to format any URLs in the code so they will work from your domain. Then print out the html code.

    Generally doing this is not really a good idea, but this is the only way that I know of to "spoof" the referer and user-agent.

    Note: For those of you wanting to spoof IP addresses, you can't :) Don't try it anyways, its a very bad thing.

    Hope this helps out some.

    -Josh

Thread Information

Users Browsing this Thread

There are currently 1 users browsing this thread. (0 members and 1 guests)

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •