Unexpected URL referrers from trusted websites?

Question

I just found these two entries in my error logs:

Date: 2012-02-09 11:33:46.693   
PageUrl: http://thebusinessbook.com/SalfordComamp;tbo=1&q=related:http:/www.barnesandnoble.com/c/city-of-salford-commun2onmousedown=return  
Error: A potentially dangerous Request.Path value was detected from the client (&).
UrlReferrer: http://www.salford.gov.uk/contact-socialservices.htm 
UserAgent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US) 
UserHostAddress: 217.155.37.153 UserHostName: 217.155.37.153

Date: 2012-02-09 11:33:41.027   
PageUrl: http://thebusinessbook.com/SalfordComamp;tbo=1&q=related:http:/www.barnesandnoble.com/c/city-of-salford-commun2munitySocialServices    
Error: A potentially dangerous Request.Path value was detected from the client (&). 
UrlReferrer: http://www.salford.gov.uk/contact-socialservices.htm 
UserAgent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US) 
UserHostAddress: 217.155.37.153 UserHostName: 217.155.37.153

So this error has happened because there is an & character in the URL without a preceding ? to mark a query string.

What I don't understand is the URL referrer. The listed page is from a UK government website. My site doesn't have anything to do with them, and the page doesn't have any links to my site on it. I have read that sometimes spammers use untrue UrlReferrer headers, but I can't see why a government site would have anything to do with this.

What reasons could there be to cause this? Buggy script on the .gov site, a dumb user, or maybe something my end?

Should I do anything about it, or just ignore it?

British government is well known about their perfect data security. No information leaks or security problems whatsoever. *smirk* Sorry, no real answer from me this time. — Janne Pikkarainen, Feb 09 '12 at 13:00
The `onmousedown=return` in the query string is also a little odd. — Ladadadada, Feb 09 '12 at 13:25

score 4 · Accepted Answer · answered Feb 09 '12 at 13:18

I'd check my logs around the time those attempts occurred to see if you can find any other oddball requests that might be indicative of someone "fuzzing" your application or otherwise attacking you. It may be nothing, but it's worth double-checking the logs to see.

Ultimately, I'd just ignore the Referer and, assuming the logs don't reveal any pattern of attack, chalk this up to some broken code on somebody else's box.

Anything can be in the Referer header and it should be consider completely untrusted. If your application is somehow making use of the Referer value I'd double-check that you're properly treating it as untrusted and, if you're making use of it in database queries, etc, that you're properly sanitizing it and escaping metacharaters.

+1 for "Referer header ... should be consider completely untrusted". *Any* GET or POST submitted data should be treated as *completely* untrusted. — dunxd, Feb 09 '12 at 13:35
Thanks for the help. I checked my logs, and there's nothing else weird looking, so I guess I'll just ignore it. We only use UrlReferrer for error logging to help understand what has gone wrong, and we parameterize everything that goes into the database, so I think we're ok here. — Oliver, Feb 09 '12 at 13:58

Unexpected URL referrers from trusted websites?

1 Answers1