Referer Header

The Referer request header contains the address of the page making the request.

The Referer header allows servers to identify where people are visiting them from.

• May use that data for analytics, logging, or optimized caching.

• Sometimes used for access control.

Fully user controllable.

First hit: No Referer

GET https://elearning.ua.pt/ HTTP/1.1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:82.0) Gecko/20100101 Firefox/82.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Connection: keep-alive
Cookie: _ga_RWZB1HRVYE=GS1.1.1605202432.1.1.1605202861.0; _ga=GA1.1.857190253.1605202434;
_gid=GA1.2.1334581424.1605202436; _hjTLDTest=1; _hjid=25f0d0c2-0616-4e02-86b2-ba6a336f5a99;
_hjFirstSeen=1; _hjAbsoluteSessionInProgress=0
Upgrade-Insecure-Requests: 1
Host: elearning.ua.pt

Subsequent request

GET https://elearning.ua.pt/theme/adaptable/style/print.css HTTP/1.1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:82.0) Gecko/20100101 Firefox/82.0
Accept: text/css,*/*;q=0.1
Accept-Language: en-US,en;q=0.5
Connection: keep-alive
Referer: https://elearning.ua.pt/
Cookie: _ga_RWZB1HRVYE=GS1.1.1605202432.1.1.1605202861.0; _ga=GA1.1.857190253.1605202434;
_gid=GA1.2.1334581424.1605202436; _hjTLDTest=1; _hjid=25f0d0c2-0616-4e02-86b2-ba6a336f5a99;
_hjFirstSeen=1; _hjAbsoluteSessionInProgress=0; MoodleSession=bcsqms7e7h324mmv1s46favccl
Host: elearning.ua.pt

Expected meaning:

• User accessing /internal/private.html, and came from /loggedin therefore it was authenticated.

In reality:

• The 'Referer' header MAY be set by the browser.

• Was meant for origin authentication, but is used for authorization.

• Falls in the TOCTOU: Time-of-check time-of-use.