How to forge Referer Header in GET method triggered on HTML

I’m looking through the CSRF vulnerabilities of the DVWA. I run into the medium level which uses this piece of code to validate if the referer header equals the server name:

if( eregi( $_SERVER[ 'SERVER_NAME' ], $_SERVER[ 'HTTP_REFERER' ] ) ).

If so, my query will be accepted and triggered on a database changing login info. I’m doing this through a malicious webpage.

So far I was able to see what the Referer name is on a response header from the server. From my understanding,that php function is asking the following:

Is the value of $_SERVER[‘SERVER_NAME’] present in $_SERVER[‘HTTP_REFERER’]?

So, my first thought was, trying to manipulate the request URL string and embed the referer header on it. (no results) I’m assuming that the if statement is just looking for a pattern. The thing is that I don’t know how to pass it and quiet honestly I don’t understand if my GET request is present in $_SERVER[ 'SERVER_NAME' ] or in $_SERVER[ 'HTTP_REFERER' ]. From my investigation I think the referer header cannot be changed in a simple html img tag. So my last question would be: Am I able to forge the string of img tag (HTTP request GET) in a way that the statement evaluates to true? If not, how can I do that in a scenario where a victim always uses this malicious webpage unconsciously?

Continue reading How to forge Referer Header in GET method triggered on HTML

How to implement password reset functionality without becoming susceptible to cross-domain referer leakage?

I have typically implemented password reset functionality by sending a link that included something like this:

http://example.com/pwreset?id=userId&resetToken=superSecretResetToken

On my pwreset page I will typically request a few re… Continue reading How to implement password reset functionality without becoming susceptible to cross-domain referer leakage?