Authorization / Cross-Domain Referer Leakage
Cross-domain Referer leakage is an authorization vulnerability that occurs when web applications fail to properly validate the HTTP Referer header. This allows attackers to bypass the same origin policy and access resources in another domain. This vulnerability is classified as CWE-352 (Cross-Site Request Forgery (CSRF)) in the Common Weakness Enumeration (CWE) directory and is described in the OWASP Testing Guide v4. Cross-domain Referer leakage can be used to perform malicious actions, such as accessing restricted areas, submitting false information, and even deleting data.
Cross-domain Referer leakage can lead to serious security risks, such as data leakage, data corruption, and unauthorized access to resources. It is a high risk vulnerability and should be addressed as soon as possible.
To prevent Cross-domain Referer leakage, web applications should properly validate the HTTP Referer header. This can be done by checking the origin of the request and ensuring that it is coming from a valid source. Additionally, the application should use a content security policy (CSP) to restrict the domains that can access the resources and ensure that the HTTP Referer header is always checked.
The following code example is taken from the CVE directory and demonstrates how Cross-domain Referer leakage can be exploited.
<script> var req = new XMLHttpRequest(); req.open('GET', '/restricted', true); req.setRequestHeader('Content-type', 'text/html'); req.setRequestHeader('Referer', 'http://attacker.example.com'); req.send(); </script>
- In 2017, the Office of Personnel Management (OPM) was affected by Cross-domain Referer leakage, resulting in the loss of personal data of over 22 million people.
- In 2019, a Cross-domain Referer leakage vulnerability was exploited to access customer data in the MobiKwik mobile wallet.
- In 2018, a Cross-domain Referer leakage vulnerability was exploited to access data in the Indian government's Aadhaar system.
- In 2019, a Cross-domain Referer leakage vulnerability was exploited to access user data in the Exactis marketing database.
- In 2020, Cross-domain Referer leakage was exploited to access user data in the entertainment giant Viacom's database.