3

We recently ran an Appscan aganist an application and on a few pages the report shows: The following changes were applied to the original request:

  • Set HTTP header to 'http://bogus.referer.ibm.com'
    Reasoning:
    The same request was sent twice in different sessions and the same response was received. This shows that none of the parameters are dynamic (session identifiers are sent only in cookies) and therefore that the application is vulnerable to this issue.

I'm a bit confused on how to handle this, should i just look at the Request.UrlReferrer and make sure it's the same host as what's in the URL or is there a better way to handle this?

Thanks.

SLaks
  • 868,454
  • 176
  • 1,908
  • 1,964
Paritosh
  • 4,243
  • 7
  • 47
  • 80
  • 2
    Not all browsers send `Referer` headers. You should use CSRF tokens. – SLaks Mar 12 '13 at 15:38
  • 3
    Referrer isn't directly relevant to the problem - AppScan was just trying a request with a different referrer at the time when it failed. Ignore that bit; the 'Reasoning' describes the issue much better. – bobince Mar 12 '13 at 17:28
  • After looking at it again, I believe I see what might be happening. I have Session.Abandon() on the logout, but if the session just expires without the user doing anything, there was no abandon, maybe that's how appscan was able to get teh same response twice, as the Session cookie was not dropped but just picked up again – Paritosh Mar 12 '13 at 18:22

1 Answers1

3

The Referrer header can be spoofed quite easily. You need to use CSRF tokens (I recommend the Synchronizer Token Pattern) that will prove the origination of the request. There is an awesome resource at OWASP that you should definitely read. Good luck!

Freedom_Ben
  • 11,247
  • 10
  • 69
  • 89
  • 2
    In addition to Freedom_Ben's answer, if you are using MVC you can use the AntiForgeryToken which is baked in and super easy to use. Basically you use a Html helper to create the token, then an attribute is added to the post method which will verify the token for you. More info can be found here: http://msdn.microsoft.com/en-us/library/system.web.mvc.htmlhelper.antiforgerytoken(v=vs.100).aspx – Chris Holwerda Mar 12 '13 at 16:21