Referer Buys You Nothing

04 Feb 2005

I am very surprised at how often I see Referer checking being mentioned as a safeguard against form spoofing. I can't properly express how completely useless this is. I've even had people try to argue with me, convinced that this is a sound technique.

Consider a hypothetical form located at http://example.org/form.html:

  1. <form action="/process.php" method="POST">
  2. <input type="text" name="foo" />
  3. <input type="submit" />
  4. </form>

To spoof this form, an attacker sends an HTTP POST request to http://example.org/process.php. Assuming the developer who wrote process.php is relying on Referer checking to prevent form spoofing, guess what the expected value is? Does this really seem like a big secret? An attacker will get this right every single time.

If you want to do something useful, at least use some bit of information that isn't obvious. One example is to generate a secret token and include it in the form:

  1.  
  2. $token = md5(uniqid(rand(), true));
  3. $_SESSION['token'] = $token;
  4.  
  5. ?>
  6.  
  7. <form action="/process.php" method="POST">
  8. <input type="hidden" name="token" value="<?php echo $token; ?>" />
  9. <input type="text" name="foo" />
  10. <input type="submit" />
  11. </form>

You can check this value in process.php, and it's not very easy to guess. In fact, the only person with a reasonable chance of knowing this value is the person you send it to.