-1

I have a block of code that prevents URL hacking to a page by checking the URL referrer

if (filterContext.RequestContext.HttpContext.Request.UrlReferrer == null)
{
    // redirect somewhere else
}

Ideally, it's to stop someone looking at record details pages by just changing the ID (so, persons/1, persons/2 etc)

Now this is fine if the referrer hasn't been stripped by the browser, but what if it is. Is there a workaround to this at all?

I'm using C# MVC

Omar.Ebrahim
  • 862
  • 1
  • 10
  • 30
  • 3
    Rather than looking at the URL referrer, why not check the workflow state of whatever process the user is in to make sure they're allowed to be on that page at that point in time? – mason Aug 29 '17 at 15:20
  • You know it is possible to send any UrlReferrer from the client. So this is in no way a secure way. – Magnus Aug 29 '17 at 15:26
  • And many small applications that scrape or otherwise display web pages within them won't bother sending a referrer header at all. Legitimate or not. – ahwm Aug 29 '17 at 15:31
  • URL Referrer can easily be forged and you should not rely on this for any type of security. If you have security concerns then at the very least you could change the ID from an int value to a Guid (uniqueIdentifier) so users can't just keep plugging in int values appended to the url. Adding a second query parameter such as another user property or a DT value that is encrypted could plain out not make it worth the hacking time to go after your site. There are tons of creative solutions for this but security based upon url ref would likely only keep you safe from script kiddies. – Travis Acton Aug 29 '17 at 16:09

1 Answers1

0

There is no workaround to this, it is either there or it is not BUT url ref is not meant to be a security mechanism. It can be easily forged. If your only concern is URL hijacking then the lowest hanging fruit kind of change you could make is to change your ID field to a uniqueIdentifier (Guid) so users cannot just append increment numbers to your url.

Travis Acton
  • 4,292
  • 2
  • 18
  • 30