Jump to content
 







Main menu
   


Navigation  



Main page
Contents
Current events
Random article
About Wikipedia
Contact us
Donate
 




Contribute  



Help
Learn to edit
Community portal
Recent changes
Upload file
 








Search  

































Create account

Log in
 









Create account
 Log in
 




Pages for logged out editors learn more  



Contributions
Talk
 



















Contents

   



(Top)
 


1 Overview  





2 Application  





3 Tools  





4 See also  





5 Notes  














Referer spoofing






Deutsch
עברית
 

Edit links
 









Article
Talk
 

















Read
Edit
View history
 








Tools
   


Actions  



Read
Edit
View history
 




General  



What links here
Related changes
Upload file
Special pages
Permanent link
Page information
Cite this page
Get shortened URL
Download QR code
Wikidata item
 




Print/export  



Download as PDF
Printable version
 
















Appearance
   

 






From Wikipedia, the free encyclopedia
 


InHTTP networking, typically on the World Wide Web, referer spoofing (based on a canonised[1] misspelling of "referrer") sends incorrect referer information in an HTTP request in order to prevent a website from obtaining accurate data on the identity of the web page previously visited by the user.

Overview[edit]

Referer spoofing is typically done for data privacy reasons, in testing, or in order to request information (without genuine authority) which some web servers may only supply in response to requests with specific HTTP referers.

To improve their privacy, individual browser users may replace accurate referer data with inaccurate data, though many simply suppress their browser's sending of any referer data. Sending no referrer information is not technically spoofing, though sometimes also described as such.

In software, systems and networks testing, and sometimes penetration testing, referer spoofing is often just part of a larger procedure of transmitting both accurate and inaccurate as well as expected and unexpected input to the HTTPD system being tested and observing the results.[2]

While many websites are configured to gather referer information and serve different content depending on the referer information obtained, exclusively relying on HTTP referer information for authentication and authorization purposes is not a genuine computer security measure. HTTP referer information is freely alterable and interceptable, and is not a password, though some poorly configured systems treat it as such.

Application[edit]

Some websites, especially many image hosting sites, use referer information to secure their materials: only browsers arriving from their web pages are served images. Additionally a site may want users to click through pages with advertisements before directly being able to access a downloadable file – using the referring page or referring site information can help a site redirect unauthorized users to the landing page the site would like to use.

If attackers acquire knowledge of these approved referrers, which is often trivial because many sites follow a common template,[3] they can use that information combined with this to exploit and gain access to the materials.

Spoofing often allows access to a site's content where the site's web server is configured to block browsers that do not send referer headers. Website owners may do this to disallow hotlinking.

It can also be used to defeat referer checking controls that are used to mitigate Cross-Site Request Forgery attacks.

Tools[edit]

Several software tools exist to facilitate referer spoofing in web browsers. Some are extensions to popular browsers such as Mozilla FirefoxorInternet Explorer, which may provide facilities to customise and manage referrer URLs for each website the user visits.

Other tools include proxy servers, to which an individual configures their browser to send all HTTP requests. The proxy then forwards different headers to the intended website, usually removing or modifying the referer header. Such proxies may also present privacy issues for users, as they may log the user's activity.

See also[edit]

Notes[edit]

  1. ^ Gourley, David; Totty, Brian; Sayer, Marjorie; Aggarwal, Anshu; Reddy, Sailu (27 September 2002). HTTP: The Definitive Guide. "O'Reilly Media, Inc.". ISBN 9781565925090.
  • ^ "The HTTPS-Only Standard - Introduction to HTTPS". https.cio.gov. Retrieved 2021-05-01.
  • ^ Sieklik, Boris (March 2016). "Evaluation of TFTP DDoS amplification attack". The Cyber Academy, Edinburgh Napier University.

  • Retrieved from "https://en.wikipedia.org/w/index.php?title=Referer_spoofing&oldid=1200278015"

    Categories: 
    Internet privacy
    Internet security
    Hidden categories: 
    Articles with short description
    Short description matches Wikidata
    Articles needing additional references from January 2021
    All articles needing additional references
     



    This page was last edited on 29 January 2024, at 05:03 (UTC).

    Text is available under the Creative Commons Attribution-ShareAlike License 4.0; additional terms may apply. By using this site, you agree to the Terms of Use and Privacy Policy. Wikipedia® is a registered trademark of the Wikimedia Foundation, Inc., a non-profit organization.



    Privacy policy

    About Wikipedia

    Disclaimers

    Contact Wikipedia

    Code of Conduct

    Developers

    Statistics

    Cookie statement

    Mobile view



    Wikimedia Foundation
    Powered by MediaWiki