The purpose of this repo is to highlight how you can protect against abuse
of the Referer
HTTP header.
The exploit itself is fairly simple in that the Referer
header of an HTTP Request can be written
to be a different domain, causing the application code to use this as the URL to redirect
to when the back()
method is called using the Redirector
class commonly used via the
redirect()
helper.
The exploit helps those performing phishing style attacks where the user is on the legitimate domain and then submits a form with invalid validation and then sends the user to a different website which looks the same as the original, allowing the attacker to trick a user into potentially handing over account login details for the original site or other information.
This has been documented before laravel/framework#14642
To resolve this problem, there should be a quick URL check to make sure the URL is either the App URL
(app.url
in the config) or is in a list of whitelisted domains. In this demo it's just the
App URL.
The code to change this involves overriding the Redirector
class so the back()
method is resolved
and that the App/Exceptions/Handler
class overrides the invalid()
method so that it will
avoid using the previous url as per the UrlGenerator
class.
Tests are provided to show the two scenarios working to block the altered Referer
header.