HOME

TheInfoList



OR:

In
HTTP HTTP (Hypertext Transfer Protocol) is an application layer protocol in the Internet protocol suite model for distributed, collaborative, hypermedia information systems. HTTP is the foundation of data communication for the World Wide Web, wher ...
networking, typically on the
World Wide Web The World Wide Web (WWW or simply the Web) is an information system that enables Content (media), content sharing over the Internet through user-friendly ways meant to appeal to users beyond Information technology, IT specialists and hobbyis ...
, referer spoofing (based on a canonized misspelling of ''referrer'') sends incorrect referer information in an
HTTP request HTTP (Hypertext Transfer Protocol) is an application layer protocol in the Internet protocol suite model for distributed, collaborative, hypermedia information systems. HTTP is the foundation of data communication for the World Wide Web, wher ...
in order to prevent a
website A website (also written as a web site) is any web page whose content is identified by a common domain name and is published on at least one web server. Websites are typically dedicated to a particular topic or purpose, such as news, educatio ...
from obtaining accurate data on the identity of the
web page A web page (or webpage) is a World Wide Web, Web document that is accessed in a web browser. A website typically consists of many web pages hyperlink, linked together under a common domain name. The term "web page" is therefore a metaphor of pap ...
previously visited by the user.


Overview

Referer spoofing is typically done for
data privacy Information privacy is the relationship between the collection and dissemination of data, technology, the public expectation of privacy, contextual information norms, and the legal and political issues surrounding them. It is also known as data ...
reasons, in testing, or in order to request information (without genuine authority) which some
web server A web server is computer software and underlying Computer hardware, hardware that accepts requests via Hypertext Transfer Protocol, HTTP (the network protocol created to distribute web content) or its secure variant HTTPS. A user agent, co ...
s may only supply in response to requests with specific HTTP referers. To improve their
privacy Privacy (, ) is the ability of an individual or group to seclude themselves or information about themselves, and thereby express themselves selectively. The domain of privacy partially overlaps with security, which can include the concepts of a ...
, individual browser
users Ancient Egyptian roles * User (ancient Egyptian official), an ancient Egyptian nomarch (governor) of the Eighth Dynasty * Useramen, an ancient Egyptian vizier also called "User" Other uses * User (computing), a person (or software) using an ...
may replace accurate referer data with inaccurate data, though many simply suppress their browser's sending of any referer data. Sending no referrer information is not technically spoofing, though sometimes also described as such. In software, systems and networks testing, and sometimes
penetration testing A penetration test, colloquially known as a pentest, is an authorized simulated cyberattack on a computer system, performed to evaluate the security of the system; this is not to be confused with a vulnerability assessment. The test is performed ...
, referer spoofing is often just part of a larger procedure of transmitting both accurate and inaccurate as well as expected and unexpected input to the
HTTPD HTTPd is a software program that usually runs in the background (i.e. a so-called "daemon"), as a process, and plays the role of a server in a client–server model using the HTTP and/or HTTPS network protocol(s). The process waits for the inco ...
system being tested and observing the results. While many websites are configured to gather referer information and serve different content depending on the referer information obtained, exclusively relying on HTTP referer information for
authentication Authentication (from ''authentikos'', "real, genuine", from αὐθέντης ''authentes'', "author") is the act of proving an Logical assertion, assertion, such as the Digital identity, identity of a computer system user. In contrast with iden ...
and
authorization Authorization or authorisation (see American and British English spelling differences#-ise, -ize (-isation, -ization), spelling differences), in information security, computer security and identity management, IAM (Identity and Access Managemen ...
purposes is not a genuine
computer security Computer security (also cybersecurity, digital security, or information technology (IT) security) is a subdiscipline within the field of information security. It consists of the protection of computer software, systems and computer network, n ...
measure. HTTP referer information is freely alterable and interceptable, and is not a
password A password, sometimes called a passcode, is secret data, typically a string of characters, usually used to confirm a user's identity. Traditionally, passwords were expected to be memorized, but the large number of password-protected services t ...
, though some poorly configured systems treat it as such.


Application

Some websites, especially many image hosting sites, use referer information to secure their materials: only browsers arriving from their web pages are served images. Additionally a site may want users to click through pages with advertisements before directly being able to access a downloadable file – using the referring page or referring site information can help a site redirect unauthorized users to the landing page the site would like to use. If attackers acquire knowledge of these approved referrers, which is often trivial because many sites follow a common template, they can use that information combined with this to exploit and gain access to the materials. Spoofing often allows access to a site's content where the site's web server is configured to block browsers that do not send referer headers. Website owners may do this to disallow hotlinking. It can also be used to defeat referer checking controls that are used to mitigate cross-site request forgery attacks.


Tools

Several software tools exist to facilitate referer spoofing in web browsers. Some are extensions to popular browsers such as
Mozilla Firefox Mozilla Firefox, or simply Firefox, is a free and open-source web browser developed by the Mozilla Foundation and its subsidiary, the Mozilla Corporation. It uses the Gecko rendering engine to display web pages, which implements curren ...
or
Internet Explorer Internet Explorer (formerly Microsoft Internet Explorer and Windows Internet Explorer, commonly abbreviated as IE or MSIE) is a deprecation, retired series of graphical user interface, graphical web browsers developed by Microsoft that were u ...
, which may provide facilities to customize and manage referrer URLs for each website the user visits. Other tools include proxy servers, to which an individual configures their browser to send all HTTP requests. The proxy then forwards different headers to the intended website, usually removing or modifying the referer header. Such proxies may also present privacy issues for users, as they may log the user's activity.


See also

*
Referrer spam Referrer spam (also known as referral spam, log spam or referrer bombing) is a kind of spamdexing (spamming aimed at search engines). The technique involves making repeated web site requests using a fake referrer URL to the site the spammer wishe ...
, a type of spam aimed at search engines


Notes

{{Scams and confidence tricks Internet privacy Types of cyberattacks he:Referer#הונאת Referer