Login/Register
Spoofing HTTP Referrer data using ASP.NET
Asked Answered
Solved asp.netreferrerspoofing
I

2

7

Answers on here and various other sites are often full of warnings not to trust HTTP Referrer headers because they are 'so easily' spoofed or faked.

Before I go any further - no, I'm not up to no good - but I do want to run some referrer-dependant tests.

Whilst I don't doubt that the warnings about fake referrers are true, I can't really find much detailed info on how they can be manipulated. Even the Wikipedia article only talks about it in general terms.

I'm about to play with the RefControl addin for FireFox.

Programatically (in ASP.NET specifically) the UrlReferrer is a read-only property, so I don't see how I can fire off requests with fake referrer data if I can't set it? Do I really have to do it manually?

How would I use ASP.NET to send a request to my site with a user-supplied variable to populate the referrer header?

EDIT : As per my comment below, I ideally want to take an incoming request, manupulate the referrer data and then pass the request on to another page, intact. If I can make it appear intact by building a new one from scratch and copying the original properties, then that is fine too.

Interphone answered 4/10, 2011 at 15:26 Comment(2)
You mean WebRequest.Create to send the request, not ASP.NET? Or are you unit-testing your pages without actually going through a web request, i.e. you need to mock the context classes so you can modify them?Nisus
Well, I thought I'd use ASP.NET to perform a sort of "passthrough" request, i.e. when I visit my test page, it simply manipulates the referrer before passing my request on to another page. If I can do that with WebRequest, then the answer to your question is "yes"!Interphone
D
6

I don't know if this exactly what you want, but in general, you should be able to spoof the value of the UrlReferer property (even if it's read-only) in HttpContext.Current.Request by using a bit of reflection.

For example:

FieldInfo fi = HttpContext.Current.Request.GetType().GetField("_referrer", BindingFlags.NonPublic | BindingFlags.Instance);

string initialReferer = HttpContext.Current.Request.UrlReferrer.ToString();
if (fi != null)
    fi.SetValue(HttpContext.Current.Request, new Uri("http://example.com"));
string fakedReferer = HttpContext.Current.Request.UrlReferrer.ToString();

On VS; these are the values before and after changing the UrlReferrer:

initialReferer
"http://localhost/Test/Default.aspx"
fakedReferer
"http://example.com/"

If you open the System.Web assembly using ILSpy you'll notice that the UrlReferrer property looks something like this:

public Uri UrlReferrer
{
    get
    {
        if (this._referrer == null && this._wr != null)
        {
            string knownRequestHeader = this._wr.GetKnownRequestHeader(36);
            if (!string.IsNullOrEmpty(knownRequestHeader))
            {
                try
                {
                    if (knownRequestHeader.IndexOf("://", StringComparison.Ordinal) >= 0)
                    {
                        this._referrer = new Uri(knownRequestHeader);
                    }
                    else
                    {
                        this._referrer = new Uri(this.Url, knownRequestHeader);
                    }
                }
                catch (HttpException)
                {
                    this._referrer = null;
                }
            }
        }
        return this._referrer;
    }
}
Davena answered 4/10, 2011 at 16:25 Comment(2)
Thanks, this looks promising. If I use Response.Redirect, the fake referrer isn't preserved, but it does work with Server.Transfer.Interphone
@Interphone interesting, but makes sense. Response.Redirect does a round roundtrip to the browser and back to the server.Davena
A
3

This likely isn't going to get you what you want. But you can edit the Referror of an HttpWebRequest. I don't think there is a way of editing the referrer of your request in context.

using System.Net;

HttpWebRequest Req= (HttpWebRequest)System.Net.HttpWebRequest.Create("http://somewhere.com/");
Req.Referer = "http://www.fakesite.com";
Athlete answered 4/10, 2011 at 15:46 Comment(0)

© 2022 - 2024 — McMap. All rights reserved.