hello eggheads 

my latest project has me needing to clean my referrers, as to hide where my traffic is originating from. i've tried simple things, such as passing through a few 302 redirects via header location, no go the ref still gets passed through. i then remembered reading that ssl kills off the ref, so i setup a self-signed cert on my lampp box. unfortunately this didn't seem to work either, i setup a vhost for siteA.com and put a link on it to https://siteB.com, and it still sent the ref.

now for the monkey wrench: i can't do this with any client-side tricks, meaning no js or meta refreshes. the request is coming from an image and css.

any takers? there's got to be a way to do this

unfortunatly i dont think there is a way. the https strip will only work if the ssl page actually loads client side. in otherwords, an https page will not pass itself as the ref when a user clicks out to another site (generally), from that HTTPS page. so if you are just redirecting through it, it wont work how you expect.

the referer is a client side issue, so from the server side, you dont really have any control.

oof, not good  i would really hate to have to shelf what i had planned on doing, so i'm going to keep poking around in the hopes of finding a solution. with thousands on the line i think i can spare a few days/weeks of research. implementation without finding a solution would pretty much be suicide as i'd have hits coming from thousands of different urls. affiliate programs would be onto me like flies on shit!

i suppose i could try to find some way to do this involving js (ala xss), though it would mean what i originally had planned must be scrapped, since i cannot edit the image tag code. talk about being between a rock and a hard place

to be continued..

A lot of us are onto the same thing m8. First one who figures it out will make us all happy, if he chooses to share it.

so it seems 

any of you bastards gets it i'll offer up nearly 4mil/month in people who love to eat oreos 

In some cases you don't need to edit the image tag code directly; it all depends on what filters are applied when a file is uploaded.

DM

can you elaborate?

Sure, although this relates to the icky xss side of things so its probably best not to go into too much detail (not that I could lol!) - this is an example of what I was thinking - http://ha.ckers.org/blog/20070603/image-upload-xss/. There are probably some other options for spiking the image upload itself although I'm not too familiar with this kind of thing.

It might be worth looking into the fact you can execute

javascript

  from within image headers, however this only works where the image is loaded directly in the browser i.e. not from the web page context, but from clicking a link directly to the image for example. I've not tried it, but I suspect that this means theres no DOM to manipulate and no way to bust out of the security context of the host so its probably not that usefull.

DM

hmm i don't think that method would be applicable here since there's no image uploading really, it's just an hosted on my server that people have included on their site(s).