How do you spoof HTTP_REFERER?

风流意气都作罢 提交于 2019-12-29 08:53:07

问题


I need to try and spoof the HTTP_REFERER passed my another page so that in the destination page, I can determine of the request is coming in from the "right" page and perform appropriate logic.

  1. How do I do that in JavaScript (AJAX)?
  2. Can I do that in ASP.Net?

TIA rams


回答1:


Generally speaking, you cannot cause other browsers to return a false HTTP_REFERER without an exploit, plug-in, or other extension. If you want to modify the value sent from your web browser and you are using FireFox, look at the Modify Headers extension.

In any case, you should never rely on HTTP_REFERER being accurate. There is no guarantee that the HTTP_REFERER you receive is not faked or simply not sent.




回答2:


If you want to test at the destination page whether a request is coming from the "right" page, you don't need to spoof the referrer. All you need to do is issue the request from a different page. Set up a page at a different URL from what you consider the "right" one, and issue requests from there, either by clicking a link to the destination page or by putting an image sourced from the destination.




回答3:


It's already been mentioned that you can't really spoof things. But to clarify, the HTTP_REFERER header is generated by the browser, so on the server side of things you can't control it (including things handing off javascript, which may or may not be enabled).

If you just want to test the response of your page to certain headers (like "Referer:"), you can use command-line tools like curl or wget which are available in most BSD and Linux variants (including OS/X). If you're using MS Windows, you can get curl or wget using Cygwin.

    wget -O - --referer="http://example.com/some/path" http://example.com/

or

    curl -e "http://example.com/some/path" http://example.com/

But your core reason for doing this is apparently to "protect" a page, I think. If you really want to make sure that a page (call it "B") is only visited after some other page ("A") is visited first, then you need more complex logic on the server side.

If you're storing a session cookie, then you can embed some logic on page "A" that sets a boolean variable. Then add logic on page "B" that checks to make sure the variable has been set.

I'll leave it as an exercise for the reader to figure out how to do this in ASP.NET. (Because I'm a PHP programmer. ;-] )



来源:https://stackoverflow.com/questions/616980/how-do-you-spoof-http-referer

易学教程内所有资源均来自网络或用户发布的内容,如有违反法律规定的内容欢迎反馈
该文章没有解决你所遇到的问题?点击提问,说说你的问题,让更多的人一起探讨吧!