Referrer Spoofing in Javascript?

Discussion in 'Javascript' started by Rod Hilton, Oct 8, 2004.

  1. Rod Hilton

    Rod Hilton Guest

    Hey everyone,

    Does anyone know if it's possible to spoof a referral using Javascript - as
    in, when I go from web site A to web site B, if B uses php or javascript or
    something to see the referring site, instead of site A they see site C,
    which A does something to make B see?

    I'm trying to write a script for a site that will allow someone to send a
    GET request to my script and have it be converted to a POST for another
    site (so that you can bookmark searches for sites using POST). It works
    fine, using PHP-generated Javascript, but the problem is that one specific
    site, I think checks to make sure the referring site was it's own, making
    it impossible to use my script for its intended purpose in this instance.
    I was hoping I could do something in javascript to fool the site into
    thinking I came from the "right" page.

    The referrer is stored in the browser, so I imagine there has to be some
    way to spoof a referrer using javascript. Any ideas?
     
    Rod Hilton, Oct 8, 2004
    #1
    1. Advertising

  2. Rod Hilton

    Lee Guest

    Rod Hilton said:

    >The referrer is stored in the browser, so I imagine there has to be some
    >way to spoof a referrer using javascript. Any ideas?


    That's an odd thing to imagine. There are far more things
    stored in the browser that are not available to script than
    are available.

    The authors of the popular browsers are, for the most part,
    intelligent and honest, and try to avoid making it easy for
    people to get away with the sort of spoofing that would make
    any feature of the system (such as HTTP-REFERRER) completely
    useless.
     
    Lee, Oct 8, 2004
    #2
    1. Advertising

  3. Rod Hilton

    Rod Hilton Guest

    Lee <> wrote in news::

    > Rod Hilton said:
    >
    >>The referrer is stored in the browser, so I imagine there has to be some
    >>way to spoof a referrer using javascript. Any ideas?

    >
    > That's an odd thing to imagine. There are far more things
    > stored in the browser that are not available to script than
    > are available.
    >
    > The authors of the popular browsers are, for the most part,
    > intelligent and honest, and try to avoid making it easy for
    > people to get away with the sort of spoofing that would make
    > any feature of the system (such as HTTP-REFERRER) completely
    > useless.
    >
    >


    Well, I'm mostly imagining it because I want to do it so badly. ;)

    I'll take this answer as a no, then? That's disappointing - searches that
    use POST make it impossible to use my web browsers bookmark/nickname
    feature.

    Ah well. Thanks
     
    Rod Hilton, Oct 9, 2004
    #3
  4. Rod Hilton

    John Bokma Guest

    Rod Hilton <> wrote in
    news:Xns957CDAC09716DrodNOSPAMair0daycom@216.196.97.136:

    >> any feature of the system (such as HTTP-REFERRER) completely
    >> useless.


    referer, as all other headers the browser sends can be easily spoofed. A
    site relying on those is broken in the first place.

    > Well, I'm mostly imagining it because I want to do it so badly. ;)


    Then use Perl, PHP or some other server-side trick.

    --
    John MexIT: http://johnbokma.com/mexit/
    personal page: http://johnbokma.com/
    Experienced programmer available: http://castleamber.com/
    Happy Customers: http://castleamber.com/testimonials.html
     
    John Bokma, Oct 9, 2004
    #4
  5. Rod Hilton

    Rod Hilton Guest

    John Bokma <> wrote in
    news:Xns957CEF4BA59BDcastleamber@130.133.1.4:

    > Then use Perl, PHP or some other server-side trick.


    Is that possible? To visit site B from site A and have site B think site A
    was something else? It would seem like, after A sends the page to the
    client, it has lost its opportunity to influence site B's data in any way.

    I'm well versed in PHP (well, pretty well versed), and I don't know of a
    way to do that.
     
    Rod Hilton, Oct 9, 2004
    #5
  6. Rod Hilton

    John Bokma Guest

    Rod Hilton <> wrote in
    news:Xns957D8467AA50rodNOSPAMair0daycom@216.196.97.136:

    > John Bokma <> wrote in
    > news:Xns957CEF4BA59BDcastleamber@130.133.1.4:
    >
    >> Then use Perl, PHP or some other server-side trick.

    >
    > Is that possible? To visit site B from site A and have site B think
    > site A was something else?


    Your browser can do it, so yes. The browser *sends* the referer to the
    site, it can put anything it wants in that header.

    > It would seem like, after A sends the page
    > to the client, it has lost its opportunity to influence site B's data
    > in any way.
    >
    > I'm well versed in PHP (well, pretty well versed), and I don't know of
    > a way to do that.


    Can you send the headers? If you can, you can send anything you want.
    Including a spoofed header.

    --
    John MexIT: http://johnbokma.com/mexit/
    personal page: http://johnbokma.com/
    Experienced programmer available: http://castleamber.com/
    Happy Customers: http://castleamber.com/testimonials.html
     
    John Bokma, Oct 9, 2004
    #6
  7. Rod Hilton

    Rod Hilton Guest

    John Bokma <> wrote in
    news:Xns957D955D876BEcastleamber@130.133.1.4:

    > Can you send the headers? If you can, you can send anything you want.
    > Including a spoofed header.


    Well, you could have the PHP script send a different location header, but
    that would actually redirect the browser. What I'm saying is, when the
    client makes a connection to site B, it doesn't run anything by site A
    again, so what could A do to spoof the header as it appears to site B? The
    connection between the client and A is over.. and I don't think A can tell
    the browser it's at a different site - any method I can think of to do that
    redirects the browser. That's why I thought it might be a task more
    related to javascript than any server side application.
     
    Rod Hilton, Oct 10, 2004
    #7
  8. Rod Hilton

    Lee Guest

    Rod Hilton said:
    >
    >John Bokma <> wrote in
    >news:Xns957D955D876BEcastleamber@130.133.1.4:
    >
    >> Can you send the headers? If you can, you can send anything you want.
    >> Including a spoofed header.

    >
    >Well, you could have the PHP script send a different location header, but
    >that would actually redirect the browser. What I'm saying is, when the
    >client makes a connection to site B, it doesn't run anything by site A
    >again, so what could A do to spoof the header as it appears to site B? The
    >connection between the client and A is over.. and I don't think A can tell
    >the browser it's at a different site - any method I can think of to do that
    >redirects the browser. That's why I thought it might be a task more
    >related to javascript than any server side application.


    The client connects to a PHP page on server A, which sends spoofed header
    information to server B, recieves the HTTP response, and sends that response to
    the client.
     
    Lee, Oct 10, 2004
    #8
  9. Rod Hilton

    Jim Ley Guest

    On 8 Oct 2004 14:36:40 -0700, Lee <> wrote:

    >Rod Hilton said:
    >
    >>The referrer is stored in the browser, so I imagine there has to be some
    >>way to spoof a referrer using javascript. Any ideas?

    >
    >That's an odd thing to imagine. There are far more things
    >stored in the browser that are not available to script than
    >are available.


    the XML HTTP Request Object lets you set any header, including the
    Referrer of course.

    Jim.
     
    Jim Ley, Oct 10, 2004
    #9
  10. Rod Hilton

    John Bokma Guest

    Rod Hilton wrote:

    > John Bokma <> wrote in
    > news:Xns957D955D876BEcastleamber@130.133.1.4:
    >
    >> Can you send the headers? If you can, you can send anything you want.
    >> Including a spoofed header.

    >
    > Well, you could have the PHP script send a different location header,
    > but that would actually redirect the browser. What I'm saying is,
    > when the client makes a connection to site B, it doesn't run anything
    > by site A again, so what could A do to spoof the header as it appears
    > to site B? The connection between the client and A is over.. and I
    > don't think A can tell the browser it's at a different site - any
    > method I can think of to do that redirects the browser. That's why I
    > thought it might be a task more related to javascript than any server
    > side application.


    Server side you can fetch the page from the other site, like a browser
    does, and hence you can spoof whatever you want.

    --
    John MexIT: http://johnbokma.com/mexit/
    personal page: http://johnbokma.com/
    Experienced programmer available: http://castleamber.com/
    Happy Customers: http://castleamber.com/testimonials.html
     
    John Bokma, Oct 10, 2004
    #10
  11. Rod Hilton

    Rod Hilton Guest

    Lee <> wrote in news::

    > Rod Hilton said:
    >>
    >>John Bokma <> wrote in
    >>news:Xns957D955D876BEcastleamber@130.133.1.4:
    >>
    >>> Can you send the headers? If you can, you can send anything you
    >>> want. Including a spoofed header.

    >>
    >>Well, you could have the PHP script send a different location header,
    >>but that would actually redirect the browser. What I'm saying is,
    >>when the client makes a connection to site B, it doesn't run anything
    >>by site A again, so what could A do to spoof the header as it appears
    >>to site B? The connection between the client and A is over.. and I
    >>don't think A can tell the browser it's at a different site - any
    >>method I can think of to do that redirects the browser. That's why I
    >>thought it might be a task more related to javascript than any server
    >>side application.

    >
    > The client connects to a PHP page on server A, which sends spoofed
    > header information to server B, recieves the HTTP response, and sends
    > that response to the client.
    >


    I was doing that. The problem is how much work it takes to parse the
    thing. If the HTML sent back uses relative links, I have to parse the
    thing and force all of the links and srcs to be absolute, which is a lot of
    work. I want the client to make the connection to B, otherwise my script
    has to be extremly complex, I believe.
     
    Rod Hilton, Oct 10, 2004
    #11
  12. Rod Hilton

    John Bokma Guest

    Rod Hilton wrote:

    [ header spoofing ]

    > I was doing that. The problem is how much work it takes to parse the
    > thing. If the HTML sent back uses relative links, I have to parse the
    > thing and force all of the links and srcs to be absolute, which is a
    > lot of work.


    Just set a baseurl in the <head> part

    > I want the client to make the connection to B, otherwise
    > my script has to be extremly complex, I believe.


    Or use Perl

    --
    John MexIT: http://johnbokma.com/mexit/
    personal page: http://johnbokma.com/
    Experienced programmer available: http://castleamber.com/
    Happy Customers: http://castleamber.com/testimonials.html
     
    John Bokma, Oct 10, 2004
    #12
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. Aaron

    html referrer spoofing

    Aaron, Jan 25, 2004, in forum: ASP .Net
    Replies:
    1
    Views:
    6,139
    Chris Jackson
    Jan 26, 2004
  2. CW
    Replies:
    1
    Views:
    523
    John Saunders
    May 3, 2004
  3. Hugo
    Replies:
    5
    Views:
    2,391
    Mark Space
    Jun 5, 2008
  4. Mufasa
    Replies:
    4
    Views:
    774
    Mufasa
    Sep 19, 2008
  5. mickey
    Replies:
    2
    Views:
    162
    Thomas 'PointedEars' Lahn
    Dec 15, 2005
Loading...

Share This Page