|
WebApp Sec
mailing list archives
Re: HTTP REFERER not set in Internet Explorer
From: "Amit Klein (AKsecurity)" <aksecurity () hotpop com>
Date: Thu, 17 Nov 2005 08:11:34 +0200
On 16 Nov 2005 at 8:16, Saqib Ali wrote:
Hello,
I am writing a secure application that tracks users on a website by
use of HTTP_REFERER. But see like Internet Explorer is not properly
populating this field.
Visit the following website using IE and Firefox.
http://www.xml-dev.com/blog/referer_test.php
And click on the Link that says "Click Here"
With Firefox, the correct HTTP_REFERER will be displayed after you
click the link. But with I.E. the HTTP_REFERER is set to blank.
Has anyone ran into this issue?
I ran into similar issues - IE doesn't send the Referer when you use JS in a "raw" way.
How did you make your application
compatible with both I.E and Mozilla based browsers?
You could try to do it via JS in a more "user-like" way, such as to create a anchor tag and
simulate a click via JS code. If I remember correctly, this should produce a Referer in IE.
Because of some security concerns I need the HTTP_REFERER to be set
correctly.
I'm sure you're aware of the fact that a Referer can be easily spoofed using any non-
browser HTTP tool. Moreover, even if a victim uses a standard browser, an attacker may be
able to force the browser (IE) to emit a spoofed Referer header in some cases, see my
writeup "Exploiting the XmlHttpRequest object in IE - Referrer spoofing, and a lot more..."
at http://www.securityfocus.com/archive/1/411585
-Amit
 By Date 
By Thread
Current thread:
| 
Intro
