Referrer Spoofing in Javascript?

[Rod Hilton]

Hey everyone,

Does anyone know if it's possible to spoof a referral using Javascript - as
in, when I go from web site A to web site B, if B uses php or javascript or
something to see the referring site, instead of site A they see site C,
which A does something to make B see?

I'm trying to write a script for a site that will allow someone to send a
GET request to my script and have it be converted to a POST for another
site (so that you can bookmark searches for sites using POST). It works
fine, using PHP-generated Javascript, but the problem is that one specific
site, I think checks to make sure the referring site was it's own, making
it impossible to use my script for its intended purpose in this instance.
I was hoping I could do something in javascript to fool the site into
thinking I came from the "right" page.

The referrer is stored in the browser, so I imagine there has to be some
way to spoof a referrer using javascript. Any ideas?

 

[Lee]

Rod Hilton said:

The referrer is stored in the browser, so I imagine there has to be some
way to spoof a referrer using javascript. Any ideas?

That's an odd thing to imagine. There are far more things
stored in the browser that are not available to script than
are available.

The authors of the popular browsers are, for the most part,
intelligent and honest, and try to avoid making it easy for
people to get away with the sort of spoofing that would make
any feature of the system (such as HTTP-REFERRER) completely
useless.

 

[Rod Hilton]

Rod Hilton said:


That's an odd thing to imagine. There are far more things
stored in the browser that are not available to script than
are available.

The authors of the popular browsers are, for the most part,
intelligent and honest, and try to avoid making it easy for
people to get away with the sort of spoofing that would make
any feature of the system (such as HTTP-REFERRER) completely
useless.

Well, I'm mostly imagining it because I want to do it so badly.

I'll take this answer as a no, then? That's disappointing - searches that
use POST make it impossible to use my web browsers bookmark/nickname
feature.

Ah well. Thanks

 

[John Bokma]

referer, as all other headers the browser sends can be easily spoofed. A
site relying on those is broken in the first place.

Well, I'm mostly imagining it because I want to do it so badly.

Then use Perl, PHP or some other server-side trick.

 

[Rod Hilton]

Then use Perl, PHP or some other server-side trick.

Is that possible? To visit site B from site A and have site B think site A
was something else? It would seem like, after A sends the page to the
client, it has lost its opportunity to influence site B's data in any way.

I'm well versed in PHP (well, pretty well versed), and I don't know of a
way to do that.

 

[John Bokma]

Is that possible? To visit site B from site A and have site B think
site A was something else?

Your browser can do it, so yes. The browser *sends* the referer to the
site, it can put anything it wants in that header.

It would seem like, after A sends the page
to the client, it has lost its opportunity to influence site B's data
in any way.

I'm well versed in PHP (well, pretty well versed), and I don't know of
a way to do that.

Can you send the headers? If you can, you can send anything you want.
Including a spoofed header.

 

[Rod Hilton]

Can you send the headers? If you can, you can send anything you want.
Including a spoofed header.

Well, you could have the PHP script send a different location header, but
that would actually redirect the browser. What I'm saying is, when the
client makes a connection to site B, it doesn't run anything by site A
again, so what could A do to spoof the header as it appears to site B? The
connection between the client and A is over.. and I don't think A can tell
the browser it's at a different site - any method I can think of to do that
redirects the browser. That's why I thought it might be a task more
related to javascript than any server side application.

 

[Lee]

Rod Hilton said:

Well, you could have the PHP script send a different location header, but
that would actually redirect the browser. What I'm saying is, when the
client makes a connection to site B, it doesn't run anything by site A
again, so what could A do to spoof the header as it appears to site B? The
connection between the client and A is over.. and I don't think A can tell
the browser it's at a different site - any method I can think of to do that
redirects the browser. That's why I thought it might be a task more
related to javascript than any server side application.

The client connects to a PHP page on server A, which sends spoofed header
information to server B, recieves the HTTP response, and sends that response to
the client.

 

[Jim Ley]

Rod Hilton said:


That's an odd thing to imagine. There are far more things
stored in the browser that are not available to script than
are available.

the XML HTTP Request Object lets you set any header, including the
Referrer of course.

Jim.

 

[John Bokma]

Well, you could have the PHP script send a different location header,
but that would actually redirect the browser. What I'm saying is,
when the client makes a connection to site B, it doesn't run anything
by site A again, so what could A do to spoof the header as it appears
to site B? The connection between the client and A is over.. and I
don't think A can tell the browser it's at a different site - any
method I can think of to do that redirects the browser. That's why I
thought it might be a task more related to javascript than any server
side application.

Server side you can fetch the page from the other site, like a browser
does, and hence you can spoof whatever you want.

 

[Rod Hilton]

Rod Hilton said:

The client connects to a PHP page on server A, which sends spoofed
header information to server B, recieves the HTTP response, and sends
that response to the client.

I was doing that. The problem is how much work it takes to parse the
thing. If the HTML sent back uses relative links, I have to parse the
thing and force all of the links and srcs to be absolute, which is a lot of
work. I want the client to make the connection to B, otherwise my script
has to be extremly complex, I believe.

 

[John Bokma]

Rod Hilton wrote:

[ header spoofing ]

I was doing that. The problem is how much work it takes to parse the
thing. If the HTML sent back uses relative links, I have to parse the
thing and force all of the links and srcs to be absolute, which is a
lot of work.

I want the client to make the connection to B, otherwise
my script has to be extremly complex, I believe.

Or use Perl