tags:

views:

151

answers:

4
+5  Q: 

how to spoof http referer

Hi

As of current, are there still any methods to spoof http referer?

thank you.

A: 

Yes, the HTTP referer header can be spoofed.

A common way to play with HTTP headers is to use a tool like cURL:

Sending headers using cURL: http://stackoverflow.com/questions/356705/how-to-send-a-header-using-a-http-request-through-a-curl-call

or

The cURL docs: http://curl.haxx.se/docs/

labratmatt  2010-06-23 19:03:31
A: 

Yes of course. Browser can avoid to send it, and it can be also "spoofed". There's an addon for firefox (I haven't tried it myself) and likely you can use also something like privoxy (but it is harder to make it dynamically changing). Using other tools like wget, is as easy as setting the proper option.

ShinTakezou  2010-06-23 19:05:48
+2  A: 

Yes.

The HTTP_REFERER is data passed by the client. Any data passed by the client can be spoofed/forged. This includes HTTP_USER_AGENT and even REMOTE_ADDR.

If you wrote the web browser, you're setting and sending the HTTP Referer and User-Agent headers on the GET, POST, etc.

You can also use middle ware such as a web proxy to alter these. Fiddler lets you control these values.

With proper rights on the OS, you can even change the source IP Address in the packet, which affects REMOTE_ADDR.

If you want to redirect a visitor to another website and set their browser's referer to any value you desire, you'll need to develop a web browser-plugin or some other type of application that runs on their computer. Otherwise, you cannot set the referer on the visitor's browser. It will show the page from your site that linked to it.

What might be a valid solution in your case would be for you to load the third party page on the visitor's behalf, using whatever referer is necessary, then display the page to the user from your server.

Marcus Adams  2010-06-23 19:17:19
A: 

Yes, I know we can spoof it from our side. What I mean is

1- A visitor visits to my web site 2- my web site redirects him to another site 3- the another site is now seeing my site as http referer

In this case, how can I spoof it? I know that leaving as blank http referer is possible. I only want to know how http referer can be changed in visitor's browser using some plugins or some hacks.

jack  2010-06-23 19:24:03
@jack, I've updated my answer.
Marcus Adams  2010-06-23 19:38:37
This should be an edit in the question, not an answer.
Platinum Azure  2010-06-23 19:41:05

related questions

Retrieving HTTP status code from loaded iframe with Javascript
How to specify an authenticated proxy for a python http connection?
Why does HttpCacheability.Private suppress ETags?
How to respond to an alternate URI in a RESTful web service
Is there a reason to use BufferedReader over InputStreamReader when reading all characters?
What would be a good, windows and iis (http) based distributed version control system
Database query representation impersonating file on Windows share?
How do I use NTLM authentication with Active Directory
Process raw HTTP request content
How would you implement FORM based authentication without a backing database?
Reading "chunked" response with HttpWebResponse
Best way to let users download a file from my website: http or ftp
How do I convert a date to a HTTP-formatted date in .Net / C#
What is the best way to upload a file via an HTTP POST with a web form?
How do I stop IIS7 dropping my cookies?
Checking FTP status codes with a PHP script.
HTTP Libraries for Emacs
Accessing post variables using Java Servlets
HTTP: Generating ETag Header
HTTP: How to know when to send a 304 Not Modified response
How do I best detect an ASP.NET expired session?
How can I make the browser see CSS and Javascript changes?
How to curl or wget a web page?
The Definitive Guide To Website Authentication
Implementation of "Remember me" in a Rails application.