How do you spoof HTTP_REFERER?

StackOverflow https://stackoverflow.com/questions/616980

  •  03-07-2019
  •  | 
  •  

Question

I need to try and spoof the HTTP_REFERER passed my another page so that in the destination page, I can determine of the request is coming in from the "right" page and perform appropriate logic.

  1. How do I do that in JavaScript (AJAX)?
  2. Can I do that in ASP.Net?

TIA rams

Was it helpful?

Solution

Generally speaking, you cannot cause other browsers to return a false HTTP_REFERER without an exploit, plug-in, or other extension. If you want to modify the value sent from your web browser and you are using FireFox, look at the Modify Headers extension.

In any case, you should never rely on HTTP_REFERER being accurate. There is no guarantee that the HTTP_REFERER you receive is not faked or simply not sent.

OTHER TIPS

If you want to test at the destination page whether a request is coming from the "right" page, you don't need to spoof the referrer. All you need to do is issue the request from a different page. Set up a page at a different URL from what you consider the "right" one, and issue requests from there, either by clicking a link to the destination page or by putting an image sourced from the destination.

It's already been mentioned that you can't really spoof things. But to clarify, the HTTP_REFERER header is generated by the browser, so on the server side of things you can't control it (including things handing off javascript, which may or may not be enabled).

If you just want to test the response of your page to certain headers (like "Referer:"), you can use command-line tools like curl or wget which are available in most BSD and Linux variants (including OS/X). If you're using MS Windows, you can get curl or wget using Cygwin.

    wget -O - --referer="http://example.com/some/path" http://example.com/

or

    curl -e "http://example.com/some/path" http://example.com/

But your core reason for doing this is apparently to "protect" a page, I think. If you really want to make sure that a page (call it "B") is only visited after some other page ("A") is visited first, then you need more complex logic on the server side.

If you're storing a session cookie, then you can embed some logic on page "A" that sets a boolean variable. Then add logic on page "B" that checks to make sure the variable has been set.

I'll leave it as an exercise for the reader to figure out how to do this in ASP.NET. (Because I'm a PHP programmer. ;-] )

Licensed under: CC-BY-SA with attribution
Not affiliated with StackOverflow
scroll top