Paid Advertising
web application security lab

Removing referring URLs with JavaScript

I can’t tell you how many times I’ve seen people assume that referring URLs will always exist, or attempt to use them as legitimate security models. All referring URLs can tell you is that someone came from somewhere or is lying to you. In reverse, if a referring URL is not there, it could be that their browser doesn’t support referring URLs (often the case with robots), it is being supressed by a security mechanism like Zonelabs Pro or Norton Anti-Virus, etc…, they typed in the URL directly, that they bookmarked the page or they are lying to you and supressing it. Quite a few possibilities, huh?

The possibilities of using this against tools that detect it are pretty plentiful. The most obvious method is using META refreshes. META refresh removes a referring URL. Click on this link to see the referring URL as well as the rest of the headers that are sent to the server. I came across this a year or so ago, but there is a way to overwrite a page using a simple document.write. If you call document.write from an event handler, rather than just outputting something inline it will completely overwrite the page. That’s interesting but it still leaves a referring URL. But what I found is if you include it in a JavaScript directive and replace the existing location with the JavaScript string it will remove all your referring information. Click this link to see javascript remove the referring URL - use FireFox for this test. This works in both Firefox and IE, although in Firefox it actually changes the domain to javascript: which could be nasty for phishing detection engines because it is not detectable at a given domain (at least in Firefox) and the referrer is not existent.

Anyway, I’d suggest not using any referrer detection unless it’s just out of curiosity’s sake. Sure it can leak information but it can also be used against you or not even be there at all, as the case above shows.

Comments are closed.