Referer spoofing

In HTTP networking, typically on the World Wide Web, referer spoofing (based on a canonised^[1] misspelling of "referrer") sends incorrect referer information in an HTTP request in order to prevent a website from obtaining accurate data on the identity of the web page previously visited by the user.

YouTube Encyclopedic

1/3
Views:
13 889
344
20 595

Transcription

Overview

Referer spoofing is typically done for data privacy reasons, in testing, or in order to request information (without genuine authority) which some web servers may only supply in response to requests with specific HTTP referers.

To improve their privacy, individual browser users may replace accurate referer data with inaccurate data, though many simply suppress their browser's sending of any referer data. Sending no referrer information is not technically spoofing, though sometimes also described as such.

In software, systems and networks testing, and sometimes penetration testing, referer spoofing is often just part of a larger procedure of transmitting both accurate and inaccurate as well as expected and unexpected input to the HTTPD system being tested and observing the results.^[2]

While many websites are configured to gather referer information and serve different content depending on the referer information obtained, exclusively relying on HTTP referer information for authentication and authorization purposes is not a genuine computer security measure. HTTP referer information is freely alterable and interceptable, and is not a password, though some poorly configured systems treat it as such.

Application

Some websites, especially many image hosting sites, use referer information to secure their materials: only browsers arriving from their web pages are served images. Additionally a site may want users to click through pages with advertisements before directly being able to access a downloadable file – using the referring page or referring site information can help a site redirect unauthorized users to the landing page the site would like to use.

If attackers acquire knowledge of these approved referrers, which is often trivial because many sites follow a common template,^[3] they can use that information combined with this to exploit and gain access to the materials.

Spoofing often allows access to a site's content where the site's web server is configured to block browsers that do not send referer headers. Website owners may do this to disallow hotlinking.

It can also be used to defeat referer checking controls that are used to mitigate Cross-Site Request Forgery attacks.

Tools

Several software tools exist to facilitate referer spoofing in web browsers. Some are extensions to popular browsers such as Mozilla Firefox or Internet Explorer, which may provide facilities to customise and manage referrer URLs for each website the user visits.

Other tools include proxy servers, to which an individual configures their browser to send all HTTP requests. The proxy then forwards different headers to the intended website, usually removing or modifying the referer header. Such proxies may also present privacy issues for users, as they may log the user's activity.

Notes

^ Gourley, David; Totty, Brian; Sayer, Marjorie; Aggarwal, Anshu; Reddy, Sailu (27 September 2002). HTTP: The Definitive Guide. "O'Reilly Media, Inc.". ISBN 9781565925090.
^ "The HTTPS-Only Standard - Introduction to HTTPS". https.cio.gov. Retrieved 2021-05-01.
^ Sieklik, Boris (March 2016). "Evaluation of TFTP DDoS amplification attack". The Cyber Academy, Edinburgh Napier University.

v t e Scams and confidence tricks
Terminology	Confidence trick Error account Shill Shyster Sucker list
Notable scams and confidence tricks	1992 Indian stock market scam 2G spectrum case Advance-fee scam Art student scam Badger game Bait-and-switch Black money scam Blessing scam Bogus escrow Boiler room Bride scam Charity fraud Clip joint Coin-matching game Coin rolling scams Drop swindle Embarrassing cheque Exit scam Extraterrestrial real estate Fiddle game Fine print Foreclosure rescue scheme Foreign exchange fraud Fortune telling fraud Gem scam Get-rich-quick scheme Green goods scam Hustling Indian coal allocation scam IRS impersonation scam Intellectual property scams Kansas City Shuffle Locksmith scam Long firm Miracle cars scam Mismarking Mock auction Moving scam Overpayment scam Patent safe Pig in a poke Pigeon drop Pork barrel Pump and dump Redemption/A4V schemes Reloading scam Return fraud Salting Shell game Sick baby hoax SIM swap scam Slavery reparations scam Spanish Prisoner SSA impersonation scam SSC Scam Strip search phone call scam Swampland in Florida Technical support scam Telemarketing fraud Thai tailor scam Thai zig zag scam Three-card monte Trojan horse White van speaker scam Work-at-home scheme
Internet scams and countermeasures	Avalanche Carding Catfishing Click fraud Clickjacking Cramming Cryptocurrency scams Cybercrime CyberThrill DarkMarket Domain name scams Email authentication Email fraud Internet vigilantism Lenny anti-scam bot Lottery scam PayPai Phishing Referer spoofing Ripoff Report Rock Phish Romance scam Russian Business Network SaferNet Scam baiting 419eater.com Jim Browning Kitboga Scammer Payback ShadowCrew Spoofed URL Spoofing attack Stock Generation Voice phishing Website reputation ratings Whitemail
Pyramid and Ponzi schemes	Aman Futures Group Bernard Cornfeld Caritas Dona Branca Earl Jones Ezubao Foundation for New Era Philanthropy Franchise fraud High-yield investment program (HYIP) Investors Overseas Service Kapa investment scam Kubus scheme Madoff investment scandal Make Money Fast Matrix scheme MMM Petters Group Worldwide Pyramid schemes in Albania Reed Slatkin Saradha Group financial scandal Secret Sister Scott W. Rothstein Stanford Financial Group Welsh Thrasher faith scam
Lists	Con artists Confidence tricks Criminal enterprises, gangs and syndicates Impostors In the media Film and television Literature Ponzi schemes

This page was last edited on 29 January 2024, at 05:03

From Wikipedia, the free encyclopedia