Page History
...
And that this could cause problems for existing magnolia installations.
Conclusion after 4 hours research
Referrer technique should work if it is written correctly. - major downside is that there are a various situations where Referer header is removed, and these must be treated as an attack - probably with a message to the user that a Referer header is required. (The future may bring us even less referers - sites can add a meta tag to remove them now http://smerity.com/articles/2013/where_did_all_the_http_referrers_go.html)
On the interwebs everyone always recommends using the token approach. Its the accepted, transparent approach.
Correct Referer check:
- Strictly check the "end" of the hostname. Protect against:
- Open Redirect: http://hackersite.io/?http://demoauthor45.magnolia-cms.com/.magnolia/etc,
- Tricky Subdomain: http://demoauthor45.magnolia-cms.com.hackersite.io
- Empty Referer.
Investigate Referrer Method
...
- For example, open redirect vulnerabilities can be used to exploit GET-based requests that are protected with a referer check
- Does this mean someone can take advantage of a browsers broken redirect behaviour to make the referer header set to the wrong value?
- ????
- This refers to sites with a redirect destination as a parameter like http://www.vulnerable.com/redirect.asp?=http://www.links.com
- See https://www.owasp.org/index.php/Open_redirect
- So an attacker could use something like http://hackersite.io/?http://demoauthor45.magnolia-cms.com/.magnolia/etc, and a poorly written referer check might let the request through since the referer will include the domain name.
- and some organizations or browser tools remove referrer headers as a form of data protection.
- This is OK. That organization would have to turn the referrer headers back on.
- There are also common implementation mistakes with referer checks. For example if the CSRF attack originates from an HTTPS domain then the referer will be omitted. In this case the lack of a referer should be considered to be an attack when the request is performing a state change.
- True HTTPS to HTTP strips the header.
- We simply consider all requests with no referrer to be an attack.
- For example, if the victim's domain is "site.com" then an attacker have the CSRF exploit originate from "site.com.attacker.com" which may fool a broken referer check implementation. XSS can be used to bypass a referer check.
- OK. we just need a good check.
Support existing installation: WhiteList? Special Code? Tokens??!?
...