Enter your search text in the box above

Select a result to preview

referrer policy vulnerabilities

referrel poicy is an http response header .
it tells browser to send or not send referer header to to another site that is currenlty navigating./redirecting

below is theoretically possible referrer headers in http response

  1. Referrer-Policy: no-referrer
  2. Referrer-Policy: no-referrer-when-downgrade
  3. Referrer-Policy: origin
  4. Referrer-Policy: origin-when-cross-origin
  5. Referrer-Policy: same-origin
  6. Referrer-Policy: strict-origin
  7. Referrer-Policy: strict-origin-when-cross-origin
  8. Referrer-Policy: unsafe-url

exploitability

if browser moved from google.com to yoursite.com when you "click on a link or by xss like bugs or by open redirect"
if referrer is allowed (by exploitable refferer Policies) then
if google.com contain sensitive http get parameter in its url (like oauth access token)
then that's a vulnerability.

example sensitive url "https://google.com?token=abcd"
example referrer policy is "no-referrer-when-downgrade" or =="unsafe-url"

Never use it for:

exploitable Policies

if following is contained in http response header then it is exploitable when chained with other vulnerabilities

what should be used

meanings

no-referrer
don't send referrer header,

no-referrer-when-downgrade
no referrer only when downgrade ,
if not downgraded then send full referrer
If you go from https://example.comhttps://othersite.com
→ The referrer will be sent.

origin
send only origin value not url path or query (scheme domain name port)

same-origin
when cross origin request don't send anything
if same origin then send full

origin-when-cross-origin
Send only the origin for cross origin requests,
When its same-origin request, send full url

strict-origin-when-cross-origin
For cross-origin requests send the origin (only) when the protocol security level stays same
otherwise send full

unsafe-url
no security. send all referrer to what ever domain,

notes

Powered by Forestry.md