Referer-Based Access Control Flaw
INTRODUCTION
Referer-based access control is a vulnerability present in web applications relying solely on the HTTP Referer header for enforcing access control to sensitive data or features. This weak access control scheme can be easily exploited, allowing unauthorized access to protected resources. The vulnerability arises when a web application uses only the Referer header to validate access, allowing users to reach sensitive areas if they possess a valid Referer field. Attackers can exploit this by forging requests with manipulated Referer headers, granting them unauthorized access to restricted pages or forms.
EXAMPLE
HamroBank, an online banking platform, relies on the HTTP Referer header to limit access to financial statements, permitting users only from the transaction confirmation page (/confirmation). Hari, an attacker, exploits this weakness by manipulating the Referer header in an HTTP request to the financial statement page (/financials) from the home page. Deceiving HamroBank, Hari gains unauthorized access to sensitive financial data without completing a legitimate transaction.
DEMONSTRATION
Let us inspect a Broken authentication occurrence of Referer Based access control, in a vulnerable web application.
Scenario
When inspecting the application with admin privileges, clicking the “upgrade user” button triggers a GET request to /admin-roles endpoint.
Upon sending the request, the user is elevated to admin privileges, and a 302 Found response is returned.
The request includes the user’s cookie and a Referrer header. Notably, the access control mechanism relies solely on the Referrer header. If the Referrer header does not originate from /admin endpoint, the privilege upgrade is denied.
Exploitation
Now that we understand how the application authenticates upgrade rights from the Referer header, we can craft a similar request. By replacing our session cookie in the request and sending our normal user parameters to the /admin-roles endpoint, we can attempt to perform the upgrade to an admin role.
After logging in to the normal user account, it becomes apparent that the admin panel is not visible for normal users.
Now, let’s craft a similar request as that of the admin and place our session cookie in the Cookie header to authenticate the normal user’s session. We can retrieve our cookie through a browser extension like a cookie editor or from the browser’s storage section in the Application tab.
Now, let’s send the same request with a normal user’s cookie and username, along with a /admin Referrer header.
After the request is sent, we can observe the admin panel in the normal user’s dashboard. This manipulation results in the user being promoted to admin status, highlighting a Referrer-based access control vulnerability. Though this vulnerability appears simple, its impact can be severe. However, despite its apparent simplicity, there is a straightforward solution to strengthen security measures.
REMEDIES
- Avoid relying solely on the Referer header for access control.
- Conduct access control and validation on the server side to prevent unauthorized access.
This concise overview highlights the practical impact and some remedies for addressing Referer-Based Access Control vulnerabilities in web applications.
