469,271 Members | 1,787 Online
Bytes | Developer Community
New Post

Home Posts Topics Members FAQ

Post your question to a community of 469,271 developers. It's quick & easy.

Referrer Spoofing in Javascript?

Hey everyone,

Does anyone know if it's possible to spoof a referral using Javascript - as
in, when I go from web site A to web site B, if B uses php or javascript or
something to see the referring site, instead of site A they see site C,
which A does something to make B see?

I'm trying to write a script for a site that will allow someone to send a
GET request to my script and have it be converted to a POST for another
site (so that you can bookmark searches for sites using POST). It works
fine, using PHP-generated Javascript, but the problem is that one specific
site, I think checks to make sure the referring site was it's own, making
it impossible to use my script for its intended purpose in this instance.
I was hoping I could do something in javascript to fool the site into
thinking I came from the "right" page.

The referrer is stored in the browser, so I imagine there has to be some
way to spoof a referrer using javascript. Any ideas?
Jul 23 '05 #1
11 15536
Lee
Rod Hilton said:
The referrer is stored in the browser, so I imagine there has to be some
way to spoof a referrer using javascript. Any ideas?


That's an odd thing to imagine. There are far more things
stored in the browser that are not available to script than
are available.

The authors of the popular browsers are, for the most part,
intelligent and honest, and try to avoid making it easy for
people to get away with the sort of spoofing that would make
any feature of the system (such as HTTP-REFERRER) completely
useless.

Jul 23 '05 #2
Lee <RE**************@cox.net> wrote in news:ck*********@drn.newsguy.com:
Rod Hilton said:
The referrer is stored in the browser, so I imagine there has to be some
way to spoof a referrer using javascript. Any ideas?


That's an odd thing to imagine. There are far more things
stored in the browser that are not available to script than
are available.

The authors of the popular browsers are, for the most part,
intelligent and honest, and try to avoid making it easy for
people to get away with the sort of spoofing that would make
any feature of the system (such as HTTP-REFERRER) completely
useless.


Well, I'm mostly imagining it because I want to do it so badly. ;)

I'll take this answer as a no, then? That's disappointing - searches that
use POST make it impossible to use my web browsers bookmark/nickname
feature.

Ah well. Thanks
Jul 23 '05 #3
Rod Hilton <ro*@NOSPAMair0day.com> wrote in
news:Xn*********************************@216.196.9 7.136:
any feature of the system (such as HTTP-REFERRER) completely
useless.

referer, as all other headers the browser sends can be easily spoofed. A
site relying on those is broken in the first place.
Well, I'm mostly imagining it because I want to do it so badly. ;)


Then use Perl, PHP or some other server-side trick.

--
John MexIT: http://johnbokma.com/mexit/
personal page: http://johnbokma.com/
Experienced programmer available: http://castleamber.com/
Happy Customers: http://castleamber.com/testimonials.html
Jul 23 '05 #4
John Bokma <po********@castleamber.com> wrote in
news:Xn*************************@130.133.1.4:
Then use Perl, PHP or some other server-side trick.


Is that possible? To visit site B from site A and have site B think site A
was something else? It would seem like, after A sends the page to the
client, it has lost its opportunity to influence site B's data in any way.

I'm well versed in PHP (well, pretty well versed), and I don't know of a
way to do that.
Jul 23 '05 #5
Rod Hilton <ro*@NOSPAMair0day.com> wrote in
news:Xn********************************@216.196.97 .136:
John Bokma <po********@castleamber.com> wrote in
news:Xn*************************@130.133.1.4:
Then use Perl, PHP or some other server-side trick.
Is that possible? To visit site B from site A and have site B think
site A was something else?


Your browser can do it, so yes. The browser *sends* the referer to the
site, it can put anything it wants in that header.
It would seem like, after A sends the page
to the client, it has lost its opportunity to influence site B's data
in any way.

I'm well versed in PHP (well, pretty well versed), and I don't know of
a way to do that.


Can you send the headers? If you can, you can send anything you want.
Including a spoofed header.

--
John MexIT: http://johnbokma.com/mexit/
personal page: http://johnbokma.com/
Experienced programmer available: http://castleamber.com/
Happy Customers: http://castleamber.com/testimonials.html
Jul 23 '05 #6
John Bokma <po********@castleamber.com> wrote in
news:Xn*************************@130.133.1.4:
Can you send the headers? If you can, you can send anything you want.
Including a spoofed header.


Well, you could have the PHP script send a different location header, but
that would actually redirect the browser. What I'm saying is, when the
client makes a connection to site B, it doesn't run anything by site A
again, so what could A do to spoof the header as it appears to site B? The
connection between the client and A is over.. and I don't think A can tell
the browser it's at a different site - any method I can think of to do that
redirects the browser. That's why I thought it might be a task more
related to javascript than any server side application.
Jul 23 '05 #7
Lee
Rod Hilton said:

John Bokma <po********@castleamber.com> wrote in
news:Xn*************************@130.133.1.4:
Can you send the headers? If you can, you can send anything you want.
Including a spoofed header.


Well, you could have the PHP script send a different location header, but
that would actually redirect the browser. What I'm saying is, when the
client makes a connection to site B, it doesn't run anything by site A
again, so what could A do to spoof the header as it appears to site B? The
connection between the client and A is over.. and I don't think A can tell
the browser it's at a different site - any method I can think of to do that
redirects the browser. That's why I thought it might be a task more
related to javascript than any server side application.


The client connects to a PHP page on server A, which sends spoofed header
information to server B, recieves the HTTP response, and sends that response to
the client.

Jul 23 '05 #8
On 8 Oct 2004 14:36:40 -0700, Lee <RE**************@cox.net> wrote:
Rod Hilton said:
The referrer is stored in the browser, so I imagine there has to be some
way to spoof a referrer using javascript. Any ideas?


That's an odd thing to imagine. There are far more things
stored in the browser that are not available to script than
are available.


the XML HTTP Request Object lets you set any header, including the
Referrer of course.

Jim.
Jul 23 '05 #9
Rod Hilton wrote:
John Bokma <po********@castleamber.com> wrote in
news:Xn*************************@130.133.1.4:
Can you send the headers? If you can, you can send anything you want.
Including a spoofed header.


Well, you could have the PHP script send a different location header,
but that would actually redirect the browser. What I'm saying is,
when the client makes a connection to site B, it doesn't run anything
by site A again, so what could A do to spoof the header as it appears
to site B? The connection between the client and A is over.. and I
don't think A can tell the browser it's at a different site - any
method I can think of to do that redirects the browser. That's why I
thought it might be a task more related to javascript than any server
side application.


Server side you can fetch the page from the other site, like a browser
does, and hence you can spoof whatever you want.

--
John MexIT: http://johnbokma.com/mexit/
personal page: http://johnbokma.com/
Experienced programmer available: http://castleamber.com/
Happy Customers: http://castleamber.com/testimonials.html
Jul 23 '05 #10
Lee <RE**************@cox.net> wrote in news:ck********@drn.newsguy.com:
Rod Hilton said:

John Bokma <po********@castleamber.com> wrote in
news:Xn*************************@130.133.1.4:
Can you send the headers? If you can, you can send anything you
want. Including a spoofed header.


Well, you could have the PHP script send a different location header,
but that would actually redirect the browser. What I'm saying is,
when the client makes a connection to site B, it doesn't run anything
by site A again, so what could A do to spoof the header as it appears
to site B? The connection between the client and A is over.. and I
don't think A can tell the browser it's at a different site - any
method I can think of to do that redirects the browser. That's why I
thought it might be a task more related to javascript than any server
side application.


The client connects to a PHP page on server A, which sends spoofed
header information to server B, recieves the HTTP response, and sends
that response to the client.


I was doing that. The problem is how much work it takes to parse the
thing. If the HTML sent back uses relative links, I have to parse the
thing and force all of the links and srcs to be absolute, which is a lot of
work. I want the client to make the connection to B, otherwise my script
has to be extremly complex, I believe.
Jul 23 '05 #11
Rod Hilton wrote:

[ header spoofing ]
I was doing that. The problem is how much work it takes to parse the
thing. If the HTML sent back uses relative links, I have to parse the
thing and force all of the links and srcs to be absolute, which is a
lot of work.
Just set a baseurl in the <head> part
I want the client to make the connection to B, otherwise
my script has to be extremly complex, I believe.


Or use Perl

--
John MexIT: http://johnbokma.com/mexit/
personal page: http://johnbokma.com/
Experienced programmer available: http://castleamber.com/
Happy Customers: http://castleamber.com/testimonials.html
Jul 23 '05 #12

This discussion thread is closed

Replies have been disabled for this discussion.

Similar topics

1 post views Thread by brett | last post: by
3 posts views Thread by Alex | last post: by
2 posts views Thread by X l e c t r i c | last post: by
2 posts views Thread by Aaron | last post: by
1 post views Thread by Suman | last post: by
5 posts views Thread by Nospam | last post: by
1 post views Thread by Nospam | last post: by
10 posts views Thread by Trev | last post: by
2 posts views Thread by Jonathan N. Little | last post: by
1 post views Thread by CARIGAR | last post: by
By using this site, you agree to our Privacy Policy and Terms of Use.