I’m looking through the CSRF vulnerabilities of the DVWA. I run into the medium level which uses this piece of code to validate if the referer
header equals the server name:
if( eregi( $_SERVER[ 'SERVER_NAME' ], $_SERVER[ 'HTTP_REFERER' ] ) )
.
If so, my query will be accepted and triggered on a database changing login info. I’m doing this through a malicious webpage.
So far I was able to see what the Referer name is on a response header from the server. From my understanding,that php function is asking the following:
Is the value of $_SERVER[‘SERVER_NAME’] present in $_SERVER[‘HTTP_REFERER’]?
So, my first thought was, trying to manipulate the request URL string and embed the referer header on it. (no results) I’m assuming that the if statement is just looking for a pattern. The thing is that I don’t know how to pass it and quiet honestly I don’t understand if my GET request is present in $_SERVER[ 'SERVER_NAME' ]
or in $_SERVER[ 'HTTP_REFERER' ]
. From my investigation I think the referer header cannot be changed in a simple html img tag. So my last question would be: Am I able to forge the string of img tag (HTTP request GET) in a way that the statement evaluates to true? If not, how can I do that in a scenario where a victim always uses this malicious webpage unconsciously?
Continue reading How to forge Referer Header in GET method triggered on HTML→