Over Untrusted Third-Party

Token Leakage via Referer Header over Untrusted Third-Party

Overview of the Vulnerability

The Referer HTTP request header is used to show the URL of the page a user requested the resource from. This application’s Referer headers leak valid user tokens over an untrusted third-party link. This token can be intercepted by a local attacker performing a Person-in-The-Middle (PiTM) attack, or by an attacker exploiting third-party vendors. With access to the exposed token in the Referer HTTP header, the attacker could escalate privileges and execute API calls on behalf of a user in the application.

Business Impact

Token Leakage via Referer header can lead to indirect financial loss through an attacker accessing, deleting, or modifying data from within the application, providing that they can escalate privileges and execute API calls. This could also result in reputational damage for the business through the impact to customers’ trust. The severity of the impact is dependent on the sensitivity of the data being stored in, and transmitted by the application, as well as the privileges of the account the attacker gains access to.

Steps to Reproduce

1. Enable a HTTP interception proxy, such as Burp Suite or OWASP ZAP

2. Use a browser to login and navigate to: {{URL}}

3. Click on the link to the third-party website

4. Capture the request using the HTTP interception proxy

5. Observe the token in Referer header and that theconnection is over HTTP

Proof of Concept (PoC)

The following screenshot shows the token exposed within the Referer HTTP request header over a HTTP connection:

{{screenshot}}

Recommendation(s)

The application should transmit sensitive tokens via a HTTPS connection using HTTP cookies, or via hidden field forms which are submitted by using the HTTP Post method.

If using the Referer header, set a Referrer-Policy header and set the directives as appropriate to the information displayed. For example, on sensitive pages such as the password reset page the Referrer-Policy header can be set as follows:

Referrer-Policy: no-referrer

For more information, please see the following guides:

• https://infosec.mozilla.org/guidelines/web_security.html#referrer-policy

• https://owasp.org/www-project-proactive-controls/v3/en/c8-protect-data-everywhere

• https://developer.mozilla.org/en-US/docs/Web/Security/Referer_header:_privacy_and_security_concerns

• https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Referer