Referrer Spoofing in Javascript?

Re: Referrer Spoofing in Javascript?

Rod Hilton said:
[color=blue]
>The referrer is stored in the browser, so I imagine there has to be some
>way to spoof a referrer using javascript. Any ideas?[/color]

That's an odd thing to imagine. There are far more things
stored in the browser that are not available to script than
are available.

The authors of the popular browsers are, for the most part,
intelligent and honest, and try to avoid making it easy for
people to get away with the sort of spoofing that would make
any feature of the system (such as HTTP-REFERRER) completely
useless.

Re: Referrer Spoofing in Javascript?

Lee <REM0VElbspamtr ap@cox.net> wrote in news:ck719801o1 7@drn.newsguy.c om:
[color=blue]
> Rod Hilton said:
>[color=green]
>>The referrer is stored in the browser, so I imagine there has to be some
>>way to spoof a referrer using javascript. Any ideas?[/color]
>
> That's an odd thing to imagine. There are far more things
> stored in the browser that are not available to script than
> are available.
>
> The authors of the popular browsers are, for the most part,
> intelligent and honest, and try to avoid making it easy for
> people to get away with the sort of spoofing that would make
> any feature of the system (such as HTTP-REFERRER) completely
> useless.
>
>[/color]

Well, I'm mostly imagining it because I want to do it so badly. ;)

I'll take this answer as a no, then? That's disappointing - searches that
use POST make it impossible to use my web browsers bookmark/nickname
feature.

Ah well. Thanks

Re: Referrer Spoofing in Javascript?

Rod Hilton <rod@NOSPAMair0 day.com> wrote in
news:Xns957CDAC 09716DrodNOSPAM air0daycom@216. 196.97.136:
[color=blue][color=green]
>> any feature of the system (such as HTTP-REFERRER) completely
>> useless.[/color][/color]

referer, as all other headers the browser sends can be easily spoofed. A
site relying on those is broken in the first place.
[color=blue]
> Well, I'm mostly imagining it because I want to do it so badly. ;)[/color]

Then use Perl, PHP or some other server-side trick.

--
John MexIT: http://johnbokma.com/mexit/
personal page: http://johnbokma.com/
Experienced programmer available: http://castleamber.com/
Happy Customers: http://castleamber.com/testimonials.html

Re: Referrer Spoofing in Javascript?

John Bokma <postmaster@cas tleamber.com> wrote in
news:Xns957CEF4 BA59BDcastleamb er@130.133.1.4:
[color=blue]
> Then use Perl, PHP or some other server-side trick.[/color]

Is that possible? To visit site B from site A and have site B think site A
was something else? It would seem like, after A sends the page to the
client, it has lost its opportunity to influence site B's data in any way.

I'm well versed in PHP (well, pretty well versed), and I don't know of a
way to do that.

Re: Referrer Spoofing in Javascript?

Rod Hilton <rod@NOSPAMair0 day.com> wrote in
news:Xns957D846 7AA50rodNOSPAMa ir0daycom@216.1 96.97.136:
[color=blue]
> John Bokma <postmaster@cas tleamber.com> wrote in
> news:Xns957CEF4 BA59BDcastleamb er@130.133.1.4:
>[color=green]
>> Then use Perl, PHP or some other server-side trick.[/color]
>
> Is that possible? To visit site B from site A and have site B think
> site A was something else?[/color]

Your browser can do it, so yes. The browser *sends* the referer to the
site, it can put anything it wants in that header.
[color=blue]
> It would seem like, after A sends the page
> to the client, it has lost its opportunity to influence site B's data
> in any way.
>
> I'm well versed in PHP (well, pretty well versed), and I don't know of
> a way to do that.[/color]

Can you send the headers? If you can, you can send anything you want.
Including a spoofed header.

--
John MexIT: http://johnbokma.com/mexit/
personal page: http://johnbokma.com/
Experienced programmer available: http://castleamber.com/
Happy Customers: http://castleamber.com/testimonials.html

Re: Referrer Spoofing in Javascript?

John Bokma <postmaster@cas tleamber.com> wrote in
news:Xns957D955 D876BEcastleamb er@130.133.1.4:
[color=blue]
> Can you send the headers? If you can, you can send anything you want.
> Including a spoofed header.[/color]

Well, you could have the PHP script send a different location header, but
that would actually redirect the browser. What I'm saying is, when the
client makes a connection to site B, it doesn't run anything by site A
again, so what could A do to spoof the header as it appears to site B? The
connection between the client and A is over.. and I don't think A can tell
the browser it's at a different site - any method I can think of to do that
redirects the browser. That's why I thought it might be a task more
related to javascript than any server side application.

Re: Referrer Spoofing in Javascript?

Rod Hilton said:[color=blue]
>
>John Bokma <postmaster@cas tleamber.com> wrote in
>news:Xns957D95 5D876BEcastleam ber@130.133.1.4 :
>[color=green]
>> Can you send the headers? If you can, you can send anything you want.
>> Including a spoofed header.[/color]
>
>Well, you could have the PHP script send a different location header, but
>that would actually redirect the browser. What I'm saying is, when the
>client makes a connection to site B, it doesn't run anything by site A
>again, so what could A do to spoof the header as it appears to site B? The
>connection between the client and A is over.. and I don't think A can tell
>the browser it's at a different site - any method I can think of to do that
>redirects the browser. That's why I thought it might be a task more
>related to javascript than any server side application.[/color]

The client connects to a PHP page on server A, which sends spoofed header
information to server B, recieves the HTTP response, and sends that response to
the client.

Re: Referrer Spoofing in Javascript?

On 8 Oct 2004 14:36:40 -0700, Lee <REM0VElbspamtr ap@cox.net> wrote:
[color=blue]
>Rod Hilton said:
>[color=green]
>>The referrer is stored in the browser, so I imagine there has to be some
>>way to spoof a referrer using javascript. Any ideas?[/color]
>
>That's an odd thing to imagine. There are far more things
>stored in the browser that are not available to script than
>are available.[/color]

the XML HTTP Request Object lets you set any header, including the
Referrer of course.

Jim.

Re: Referrer Spoofing in Javascript?

Rod Hilton wrote:
[color=blue]
> John Bokma <postmaster@cas tleamber.com> wrote in
> news:Xns957D955 D876BEcastleamb er@130.133.1.4:
>[color=green]
>> Can you send the headers? If you can, you can send anything you want.
>> Including a spoofed header.[/color]
>
> Well, you could have the PHP script send a different location header,
> but that would actually redirect the browser. What I'm saying is,
> when the client makes a connection to site B, it doesn't run anything
> by site A again, so what could A do to spoof the header as it appears
> to site B? The connection between the client and A is over.. and I
> don't think A can tell the browser it's at a different site - any
> method I can think of to do that redirects the browser. That's why I
> thought it might be a task more related to javascript than any server
> side application.[/color]

Server side you can fetch the page from the other site, like a browser
does, and hence you can spoof whatever you want.

--
John MexIT: http://johnbokma.com/mexit/
personal page: http://johnbokma.com/
Experienced programmer available: http://castleamber.com/
Happy Customers: http://castleamber.com/testimonials.html

Re: Referrer Spoofing in Javascript?

Lee <REM0VElbspamtr ap@cox.net> wrote in news:cka7d308h5 @drn.newsguy.co m:
[color=blue]
> Rod Hilton said:[color=green]
>>
>>John Bokma <postmaster@cas tleamber.com> wrote in
>>news:Xns957D9 55D876BEcastlea mber@130.133.1. 4:
>>[color=darkred]
>>> Can you send the headers? If you can, you can send anything you
>>> want. Including a spoofed header.[/color]
>>
>>Well, you could have the PHP script send a different location header,
>>but that would actually redirect the browser. What I'm saying is,
>>when the client makes a connection to site B, it doesn't run anything
>>by site A again, so what could A do to spoof the header as it appears
>>to site B? The connection between the client and A is over.. and I
>>don't think A can tell the browser it's at a different site - any
>>method I can think of to do that redirects the browser. That's why I
>>thought it might be a task more related to javascript than any server
>>side application.[/color]
>
> The client connects to a PHP page on server A, which sends spoofed
> header information to server B, recieves the HTTP response, and sends
> that response to the client.
>[/color]

I was doing that. The problem is how much work it takes to parse the
thing. If the HTML sent back uses relative links, I have to parse the
thing and force all of the links and srcs to be absolute, which is a lot of
work. I want the client to make the connection to B, otherwise my script
has to be extremly complex, I believe.

Re: Referrer Spoofing in Javascript?

Rod Hilton wrote:

[ header spoofing ]
[color=blue]
> I was doing that. The problem is how much work it takes to parse the
> thing. If the HTML sent back uses relative links, I have to parse the
> thing and force all of the links and srcs to be absolute, which is a
> lot of work.[/color]

Just set a baseurl in the <head> part
[color=blue]
> I want the client to make the connection to B, otherwise
> my script has to be extremly complex, I believe.[/color]

Or use Perl

--
John MexIT: http://johnbokma.com/mexit/
personal page: http://johnbokma.com/
Experienced programmer available: http://castleamber.com/
Happy Customers: http://castleamber.com/testimonials.html