When you browse the web, even if this is completely transparent to (most of )users, there is a continuos exchange of meta data between your web browser and the server in which the website is hosted. Tecnically speaking, browser and server send and receive requests. These requests contain headers: fields defining characteristic of the sent data, in particular the referer contains the url of the previous web page from which a link led the user to the current page.
In this way the referer tell us which pages are currently linking to our weblog so we can check who's talking about us.
Beyond this advantage there is a big pitfall: Storing and showing the referer expose the application to potential threats such as Cross Site Scripting and more silently to an unusual threat that i decided to call Link Injection (I say that "I decided" because i have not found any literature about this kind of issue yet).
Wordpress.com seems to filter user input properly to protect users against XSS and code injection, but it does not provide any protection against link injection!
HTTP Referer can be easily modifyed : I used to do with the firefox extension Modify Headers or with the fantastic Webscarab a powerful framework from OWASP; the easiness of this attack makes its power, here's a possible scenario:
The attacker knows the url of victim's blog, so he write a script to send http requests on it. Let's say that the victim's blog is not very popular so a dozen visits to his blog from the same source could make him curious; the attacker knows that, or maybe he decide the number of requests to send by probabilistic considerations. In this way the victim will follow the injected link . That link could represent an infected page or something else.
Unfortunately there isn't an easy way to avoid this kind of threat without compromise the efficiency of the service, personally i would remove the anchor tag from referers and i'd put a little "Warning" near them.
0 commenti
Posta un commento