XHR using referer against hackers attack ...

whisher06

Hi.
request.php

<?php 
function getUri($page){
	$host= $_SERVER['HTTP_HOST'];
	$uri= rtrim(dirname($_SERVER['PHP_SELF']), '/\\');
	$extra= $page;
	return 'http://'.$host.$uri.'/'.$extra;
}
if($_SERVER['HTTP_REFERER']!=getUri('refer.htm')){
	exit('Bad referer page');
}
else{
	echo "Good referer page";
}

?>

What do you think about this method to prevent
hackers attack ?

Thanks in advance 😉

Bye.

Weedpacket

How do you see this being used? I mean, it says it's "bad" for me to just type the URL into the browser (because in that case HTTP_REFERER won't be defined).

whisher06

Thanks a lot for your replay.
i.e
XHR refer.htm :

<html>
<script>
var req = null;
function processReqChange() {
  if (req.readyState == 4 && req.status == 200 ) {
   		alert(req.responseText);
   }
}

function loadUrl( url ) {
  if(window.XMLHttpRequest) {
    try { req = new XMLHttpRequest();
    } catch(e) { req = false; }
  } else if(window.ActiveXObject) {
    try { req = new ActiveXObject('Msxml2.XMLHTTP');
    } catch(e) {
    try { req = new ActiveXObject('Microsoft.XMLHTTP');
    } catch(e) { req = false; }
  } }
  if(req) {
    req.onreadystatechange = processReqChange;
    req.open('GET', url, true);
    req.send('');
  }
}
loadUrl('request.php');
</script>
<body>
</body>
</html>

MarkR

You should not use HTTP_REFERER for anything critical, including authentication or security checks of any kind.

An XMLHttpRequest request should be treated no differently to any other request with respect to authentication and authorisation:
- You must provide enough information for the server to identify WHO the requester is.
- You must check this identity on the server side.
- You must do all necessary checks to ensure that they are allowed to do the exact operation that they're trying to do.

This is necessary on every single request whether it originated via a normal web page or XHR.

Note that I believe that XHR is actually more resistant to CSRF attacks than conventional POSTs.

If you worry about CSRF, you should post additional tokens to try to prevent that too.

NB: CSRF is the least of your worries if there is even a tiny chance that your site has a XSS or SQL injection vulnerability.

Mark

whisher06

Thanks a lot for the explanation 😉.

An XMLHttpRequest request should be treated no differently to any other request with respect to authentication and authorisation:
- You must provide enough information for the server to identify WHO the requester is.
- You must check this identity on the server side.
- You must do all necessary checks to ensure that they are allowed to do the exact operation that they're trying to do.

As usual I put into the request page
if(isset($_POST['nickname'])) {
//good
}
else{
//exit or redirect to the main page
}
or I set a session on the main page
to check it in the request.
Could you show me a different approach ?

Bye.

bradgrafelman

Just some comments on some of the things I see being used:

The "Host" (e.g. $_SERVER['HTTP_HOST']) is indeed a required header in the HTTP/1.1 protocol... though it is not required in the 1.0 protocol. Some browsers may still use 1.0 (in fact, IE6 can easily switch to the 1.0 protocol simply by unticking a checkbox) or some proxy servers may use this protocol as well. In other words, this header shouldn't be relied upon.
Same deal for the Referer header. As MarkR points out, this header simply shouldn't be relied upon - it's completely optional, can easily be faked/altered, and some proxies/gateways/software/browsers/etc. simply remove it from all outgoing connections.