How to forge Referer using PHP

Source: Internet
Author: User
Tags curl http request

  When the browser sends a request to the Web server, it usually takes a referer to tell the server where I came from, and the server can get some information for processing, but this referer can be forged, look at an example below, you will understand

What is HTTP Referer in short, the HTTP Referer is part of the header, and when the browser sends a request to the Web server, it usually takes a Referer to tell the server where I came from and the server can get some information for processing. For example, from my home page to link to a friend there, his server can be from the HTTP Referer to count the number of users per day to click on my home page links to visit his site. Referer in fact should be the English word referrer, but misspelled too many people, so the people who write standards are mistake. My question I have just changed the feed reader to Gregarius, but he is not like I used to Liferea, visit Sina Blog, can not show the picture, hint "This picture is limited to Sina Blog user communication and communication", I know, this is the result of HTTP Referer. Because I am the particularity of the Internet client configuration, the first suspicion is squid problem, but through the experiment ruled out, but at the same time found a squid and Tor, Privoxy collaborative use of privacy disclosure problem, left to study later. Can Gregarius handle the problem? The answer is no, because Gregarius is only responsible for outputting HTML code, and access to the image is requested by the client browser to the server. However, installing a Firefox extension may solve the problem, the recommended "Send referrer" I did not find, but found another available: "Refcontrol", according to the different access to the site, control the use of different referer. But I don't like to use Firefox extensions to solve problems, because I think he is too inefficient, so I--privoxy in a better way. Privoxy awesome. Add two lines to the default.action of Privoxy: {+hide-referrer{forge}}. so the image of Sina blog in Gregarius is out? +hide-referrer is a privoxy filter that sets the way to handle HTTP referer when accessing, and the Forge Representative uses the access address as the refere, and can also be replaced with block, which represents the cancellation of Referer, Or write the Referer URL that you want to use here. Using Privoxy is much simpler than using Firefox, so change it quickly. From HTTPS to HTTP I also found that HTTP Referer is not checked on HTTP pages when accessing a link on an HTTPS page to a unencrypted HTTP page.For example, when I click on my https page below the WWW XHTML verification icon (URL for, never complete the checksum, hint: no Referer header found! Originally, it is defined in the RFC document of the HTTP protocol:   code is as follows: 15.1.3 Encoding sensitive information in URI ' s   Clients SHOULD not include a Refe RER Header field in a (non-secure) HTTP request if the referring page is transferred with a secure protocol.       This is for security reasons, when access to unencrypted pages, if the source is an encrypted page, the client does not send Referer,ie has been implemented, Firefox browser is no exception. However, this does not affect access from encrypted pages to encrypted pages. Firefox in the Referer settings are in, there are two key values: Network.http.sendRefererHeader (default=2) Set referer send the way, 0 for completely do not send, 1 for only click on the link to send, Do not send when accessing the image in the page, 2 is always sent. See Privacy Tip #3: Block Referer Headers in Firefox network.http.sendSecureXSiteReferrer (default=true) Sets whether to send referer,true to send when accessing from an encrypted page to another encrypted page, false to not send.   Use Referer to prevent picture hotlinking   Although referer is not reliable, but to prevent the picture hotlinking is enough, after all, not everyone will modify the configuration of the client. Implementation is generally through the Apache configuration file, first set to allow access to the address, marked down: # only to allow access from, the picture may be placed on the site page setenvifnocase Referer "^http://"Local_ref" directly through address access setenvif Referer "^$" Local_rThe EF then prescribes the marked access to be allowed:     code as follows: <filesmatch. (gif|jpg) "> Order Allow,deny Allow from Env=local_ref </FilesMatch>     or       code as follows: &L t;directory/web/images>    order deny,allow    deny from all    allow from Env=local_ref </Directory>     Do not use Rerferer place   do not put rerferer on authentication or other very important checks, because Rerferer is very easy to change at the client, Whether it's through the Firefox extensions described above, or privoxy, or even Libcurl calls, the Rerferer data is incredibly unreliable. If you want to limit the user's access to an entry page, instead of using Referer, use session, write sessions on the entry page, and then check on other pages, and if the user does not have access to the entry page, then the corresponding conversation does not exist, see the discussion here. However, as mentioned above, do not believe too much in this way of "validation" results. Personal feeling now rerferer in addition to use in the Anti-Theft chain, the most other uses is access statistics, such as statistics users are from where the link to visit and so on.       Http-referer This variable has become more and more unreliable, is completely can be forged out of the Dongdong. The following is a forgery method:   PHP (provided that curl is installed):     Code as follows: $ch = Curl_init (); curl_setopt ($ch, Curlopt_url, ""); curl_setopt ($ch, Curlopt_referer, ""); Curl_exec ($ch); Curl_close ($ch);   PHP (curl with sock) $server = ' '; $host = ' '; $target = '/xxx.asp '; $referer = ''; Referer $port = 80; $fp = Fsockopen ($server, $port, $errno, $errstr, 30); if (! $fp)   {echo $errstr ($errno) <br/>n ";}   else  {$out = "get $target http/1.1rn"; $out. = "Host: $hostrn"; $out. = "cookie:aspsessionidsqtbqsda=dfcapk Lbbficdafmhnkigkegrn "; $out. = "Referer: $refererrn"; $out. = "Connection:closernrn"; Fwrite ($fp, $out); while (!feof ($fp))   {echo fgets ($fp, 128);} fclose ($FP); }   JavaScript Xmlhttp.setrequestheader ("Referer", "Http://URL");/  hehe ~ fake ~       JS does not support ^_^ &nbs P The principle is that sock constructs HTTP headers to SendData. Other languages, such as Perl, are also available, and the simpler way to defend against forgery is to use the verification Code (session) for the current referer. Now there are some commercial companies that can use anti-theft chain software, such as Uudog,linkgate,virtualwall, are the DLLs that are developed to be applied to IIS. Some use cookies to verify, thread control, some can randomly generate file names and do URL rewrite. Some methods can indeed achieve a good result. However, while, outsmart, these tricks after all, there is a way to crack. The general is the case, but the server is not good to achieve forgery, can only make a few data, if you can achieve access to the Web page can be forged, it can achieve real forgery, the realization of natural IP distribution.  
Related Article

E-Commerce Solutions

Leverage the same tools powering the Alibaba Ecosystem

Learn more >

Apsara Conference 2019

The Rise of Data Intelligence, September 25th - 27th, Hangzhou, China

Learn more >

Alibaba Cloud Free Trial

Learn and experience the power of Alibaba Cloud with a free trial worth $300-1200 USD

Learn more >

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: and provide relevant evidence. A staff member will contact you within 5 working days.