Referer Header (CSRF) - Please Help!!

Started by ozzy13, March 05, 2018, 09:51:06 AM

Previous topic - Next topic
Print
Go Down Pages1
User actions

ozzy13

March 05, 2018, 09:51:06 AM
Hello Peeps!!

I've a query regarding Referer Header validation (CSRF) vulnerability. I want to know if this can be fixed in the apache config without mod_security? I'm not keen on using mod_security due to its complexity.

TIA.

Gregg

#1
March 06, 2018, 05:39:13 AM
After reading a few things about CSRF it's not really Apache's job to protect. The reason mod_security can protect against c/xsrf is because it actually inspects the request for a great many things.  It's more the browsers and web apps job to make sure these things are coming from the right origin. Nothing should ever depend on the Referrer for granting  anything because the headers can be forged.

That said, I suggest you read OWASP's CSRF Prevention Cheat Sheet.

Also, there are Headers you can set to tell browsers how to behave when it comes to your server/site.
See https://securityheaders.io/. Run a scan on your site and when you get your score, the page in the bottom section has links to explain the various headers. In the case of CSRF, XSS is not always required but quite often helps pull off the attack. There's a header for it. "X-XSS-Protection: 1; mode=block".

Another would be Referrer-Policy. It has a few options and the link for the explanation is also in that bottom section.


This is what I use on my server (which isn't this one).
Code Select

Header set Content-Security-Policy "default-src 'self' mydomain.net *.mydomain.net; img-src 'self' data:; style-src 'self' mydomain.net *.mydomain.net; frame-ancestors 'self'"
Header always set X-Xss-Protection "1; mode=block"
Header always set X-Content-Type-Options "nosniff"
Header always set Referrer-Policy "strict-origin-when-cross-origin"
Header always set Expect-CT "max-age=30; report-uri=\"https://www.mydomain.net/ct/report\""
Header always set X-Frame-Options SAMEORIGIN
Header always set Strict-Transport-Security "max-age=63072000;"


I get an A+ grade at securityheaders.io.

ozzy13

#2
March 07, 2018, 07:57:42 AM
Hi Gregg. Thanks for your response.

I've tried the below config but it didnt work as per what I want.

Basically, I want to emulate below rule without using mod_security.

SecRule REQUEST_HEADERS:Referer "!@contains ://%{SERVER_NAME}/" \
"id:432010,phase:2,msg:'Referer header does not point to the server itself %{REQUEST_HEADERS.Referer}',deny,status:403"

Which means if the request headers is anything apart from my domain/server name, it will be forbidden.

Are there any other modules to support the setting?

Thanks

mario

#3
March 09, 2018, 08:51:23 AM
You can do that with htaccess or in your server config

Code Select

RewriteEngine On
RewriteCond %{HTTP_REFERER} !^http://www.example.com/.*$ [NC]

# disallow access to this file if the referrer is not set.
RewriteRule ^skript.php$ [F]

# disallow by file endings
RewriteRule .(jpe?g|gif|bmp|png)$ - [F]
Print
Go Up Pages1
User actions