4

I need to try and spoof the HTTP_REFERER passed my another page so that in the destination page, I can determine of the request is coming in from the "right" page and perform appropriate logic.

  1. How do I do that in JavaScript (AJAX)?
  2. Can I do that in ASP.Net?

TIA rams

rams
  • 6,381
  • 8
  • 46
  • 65

3 Answers3

10

Generally speaking, you cannot cause other browsers to return a false HTTP_REFERER without an exploit, plug-in, or other extension. If you want to modify the value sent from your web browser and you are using FireFox, look at the Modify Headers extension.

In any case, you should never rely on HTTP_REFERER being accurate. There is no guarantee that the HTTP_REFERER you receive is not faked or simply not sent.

Troy J. Farrell
  • 1,252
  • 11
  • 18
  • 1
    If you're using Chrome [ModHeader](https://chrome.google.com/webstore/detail/modheader/idgpnmonknjnojddfkpgkljpfnnfcklj) extension do the job! – GiDo Jul 22 '15 at 09:22
2

If you want to test at the destination page whether a request is coming from the "right" page, you don't need to spoof the referrer. All you need to do is issue the request from a different page. Set up a page at a different URL from what you consider the "right" one, and issue requests from there, either by clicking a link to the destination page or by putting an image sourced from the destination.

Rob Kennedy
  • 161,384
  • 21
  • 275
  • 467
  • The calling page is from a client's app which I do not have access to. So instead of coding in dark, I need to "spoof" the referrer and test my page. – rams Mar 05 '09 at 23:10
  • @Rob, Why do you tell him "you don't need to spoof the referrer"? That seems irrelevant as he's asking *how* can the referrer be spoofed. – Pacerier Jun 06 '14 at 18:01
  • @Pacerier, he's asking "How can I solve problem X by doing Y?" My answer is that he doesn't really need to do Y in order to solve X. In this case, X is to test that the page can detect the referrer; Y is to spoof the referrer. – Rob Kennedy Jun 06 '14 at 18:42
2

It's already been mentioned that you can't really spoof things. But to clarify, the HTTP_REFERER header is generated by the browser, so on the server side of things you can't control it (including things handing off javascript, which may or may not be enabled).

If you just want to test the response of your page to certain headers (like "Referer:"), you can use command-line tools like curl or wget which are available in most BSD and Linux variants (including OS/X). If you're using MS Windows, you can get curl or wget using Cygwin.

    wget -O - --referer="http://example.com/some/path" http://example.com/

or

    curl -e "http://example.com/some/path" http://example.com/

But your core reason for doing this is apparently to "protect" a page, I think. If you really want to make sure that a page (call it "B") is only visited after some other page ("A") is visited first, then you need more complex logic on the server side.

If you're storing a session cookie, then you can embed some logic on page "A" that sets a boolean variable. Then add logic on page "B" that checks to make sure the variable has been set.

I'll leave it as an exercise for the reader to figure out how to do this in ASP.NET. (Because I'm a PHP programmer. ;-] )

ghoti
  • 45,319
  • 8
  • 65
  • 104
  • Why do you say that referral checking cannot ensure "page B runs logic only after page A is visited"? – Pacerier Jun 06 '14 at 17:58
  • That's not what I said. If you use a cookie, then you can ensure that the cookie is set by a visit to page A, and then B can check for that cookie. The HTTP_REFERER is generated by the browser, so it can't be trusted. – ghoti Jun 06 '14 at 18:40