You are viewing a plain text version of this content. The canonical link for it is here.

Posted to dev@sling.apache.org by Daniel Sungjin Jung <su...@adobe.com> on 2015/05/28 10:11:32 UTC

security risk of allow empty referrer in Apache Sling Referrer Filter

Hi ,

Checking “Allow Empty” checkbox in Apache Sling Referrer Filter is not recommended in production service.
I’d like to know what specific security risks we face if we turn it on for production service.


Best Regards,

Daniel Sungjin Jung
strategic accounts specialist & critical situation manager, digital marketing | adobe | •:: +82 (2) 530-8050 | •:: sujung@adobe.com<ma...@adobe.com>

Re: security risk of allow empty referrer in Apache Sling Referrer Filter

Posted by Carsten Ziegeler <cz...@apache.org>.

Am 28.05.15 um 10:11 schrieb Daniel Sungjin Jung:
> Hi ,
> 
> Checking “Allow Empty” checkbox in Apache Sling Referrer Filter is not recommended in production service.
> I’d like to know what specific security risks we face if we turn it on for production service.
> 
If you do no referrer check, you're e.g. vulnerable by CSRF attacks
(https://www.owasp.org/index.php/Cross-Site_Request_Forgery_(CSRF)_Prevention_Cheat_Sheet#Checking_The_Referer_Header).
Unless you have another CSRF protection in place of course.

Regards
Carsten
-- 
Carsten Ziegeler
Adobe Research Switzerland
cziegeler@apache.org

Re: security risk of allow empty referrer in Apache Sling Referrer Filter

Posted by Lars Krapf <lk...@adobe.com>.

Hello Daniel

On 28.05.2015 10:11, Daniel Sungjin Jung wrote:
> Checking “Allow Empty” checkbox in Apache Sling Referrer Filter is not recommended in production service.
> I’d like to know what specific security risks we face if we turn it on for production service.

Apart from the obvious cases (bugs in browser/plugins, MitM) which allow
for HTTP header manipulation but often allow complete circumvention of
CSRF protections anyway, there have been several cases where it was
possible to strip the referrer header client-side using some tricks with
javascript and iframes (e.g. [0], [1]).

Best greetings
Lars

[0]
http://homakov.blogspot.com/2012/04/playing-with-referer-origin-disquscom.html
[1]
http://webstersprodigy.net/2013/02/01/stripping-the-referer-in-a-cross-domain-post-request/