The purpose of this repo is to highlight how you can protect against abuse of the Referer HTTP header.

The exploit itself is fairly simple in that the Referer header of an HTTP Request can be written to be a different domain, causing the application code to use this as the URL to redirect to when the back() method is called using the Redirector class commonly used via the redirect() helper.

The exploit helps those performing phishing style attacks where the user is on the legitimate domain and then submits a form with invalid validation and then sends the user to a different website which looks the same as the original, allowing the attacker to trick a user into potentially handing over account login details for the original site or other information.

This has been documented before laravel/framework#14642

To resolve this problem, there should be a quick URL check to make sure the URL is either the App URL (app.url in the config) or is in a list of whitelisted domains. In this demo it's just the App URL.

The code to change this involves overriding the Redirector class so the back() method is resolved and that the App/Exceptions/Handler class overrides the invalid() method so that it will avoid using the previous url as per the UrlGenerator class.

Tests are provided to show the two scenarios working to block the altered Referer header.