0

I'm trying to do some csrf attack test on a site.

I found that the site protect itself from csrf by checking the http Origin header.

But I guess maybe under some conditions I can bypass the protection. The website just check if the request has the Origin: header set to https://example.com -

Is it possible to set a custom Origin header in the browser using some php code?

apex
  • 11
  • 3
  • 1
    These question and answers may be helpful to you: https://stackoverflow.com/questions/21058183/whats-to-stop-malicious-code-from-spoofing-the-origin-header-to-exploit-cors – Demento Apr 02 '20 at 17:14
  • 2
    PHP is a server-side language. How do you intend to get PHP to run in a browser? Further, it is quite easy to spoof an origin header yourself. However this is a CSRF attack, so it is the victim's browser that you would have to spoof the origin header for. So ask yourself: can I convince my victim's browser to send a different origin header? – Conor Mancone Apr 02 '20 at 17:30
  • Does this answer your question? CSRF protection with custom headers (and without validating token) – mentallurg Apr 02 '20 at 18:33
  • @ConorMancone,

    I was thinking to use something like this:

    <?php header('Origin: https://example.com'); ?> +csrf-code

    How can i spoof the origin header myself or convince victim browser to do that?

    The server checks the Origin: header and if it's not example.com throws a 500 error message while if it's set to https://example.com the csrf works fine.

     – apex Apr 03 '20 at 01:42
  • 1
    I wasn't asking that to answer your question but try to point you in the right direction. The short of it is simple: you can't do this. Certainly not with PHP, but not at all anyway. You have no control over the victim's browser and if you did (I.e. XSS) then you would no longer have to worry about CSRF. Keep learning and most importantly, try out your own suggestion. I often learn the most from the things that don't work. – Conor Mancone Apr 03 '20 at 01:58

1 Answers1

2

The HTTP Origin is a forbidden header name, meaning that it is set by the browser and cannot be overridden in any requests. As long as a modern browser is used and the web application returns an error if the origin header doesn't match or isn't sent, there is not a way to bypass this.

Side note, as pointed out in comments, PHP does not run in the browser, as it is a server-side language.

multithr3at3d
  • 12,842
  • 3
  • 32
  • 43