The Cache: Technology Expert's Forum
 
*
Welcome, Guest. Please login or register. September 19, 2019, 01:48:46 PM

Login with username, password and session length


Pages: [1] 2 3
  Print  
Author Topic: slaying the referrer  (Read 10502 times)
Indica
Rookie
**
Offline Offline

Posts: 49


View Profile
« on: March 31, 2008, 03:39:54 PM »

hello eggheads  ROFLMAO

my latest project has me needing to clean my referrers, as to hide where my traffic is originating from. i've tried simple things, such as passing through a few 302 redirects via header location, no go the ref still gets passed through. i then remembered reading that ssl kills off the ref, so i setup a self-signed cert on my lampp box. unfortunately this didn't seem to work either, i setup a vhost for siteA.com and put a link on it to https://siteB.com, and it still sent the ref.

now for the monkey wrench: i can't do this with any client-side tricks, meaning no js or meta refreshes. the request is coming from an image and css.

any takers? Grin there's got to be a way to do this D'oh!
Logged
nutballs
Administrator
Lifer
*****
Offline Offline

Posts: 5627


Back in my day we had 9 planets


View Profile
« Reply #1 on: March 31, 2008, 04:44:39 PM »

unfortunatly i dont think there is a way. the https strip will only work if the ssl page actually loads client side. in otherwords, an https page will not pass itself as the ref when a user clicks out to another site (generally), from that HTTPS page. so if you are just redirecting through it, it wont work how you expect.

the referer is a client side issue, so from the server side, you dont really have any control.
Logged

I could eat a bowl of Alphabet Soup and shit a better argument than that.
Indica
Rookie
**
Offline Offline

Posts: 49


View Profile
« Reply #2 on: March 31, 2008, 05:12:26 PM »

oof, not good  Cry i would really hate to have to shelf what i had planned on doing, so i'm going to keep poking around in the hopes of finding a solution. with thousands on the line i think i can spare a few days/weeks of research. implementation without finding a solution would pretty much be suicide as i'd have hits coming from thousands of different urls. affiliate programs would be onto me like flies on shit!

i suppose i could try to find some way to do this involving js (ala xss), though it would mean what i originally had planned must be scrapped, since i cannot edit the image tag code. talk about being between a rock and a hard place

to be continued..
Logged
vsloathe
vim ftw!
Global Moderator
Lifer
*****
Offline Offline

Posts: 1669



View Profile
« Reply #3 on: March 31, 2008, 07:13:18 PM »

A lot of us are onto the same thing m8. First one who figures it out will make us all happy, if he chooses to share it.
Logged

hai
Indica
Rookie
**
Offline Offline

Posts: 49


View Profile
« Reply #4 on: March 31, 2008, 07:41:07 PM »

so it seems  Grin

any of you bastards gets it i'll offer up nearly 4mil/month in people who love to eat oreos  Devilish
Logged
DangerMouse
Expert
****
Offline Offline

Posts: 244



View Profile
« Reply #5 on: April 01, 2008, 04:31:13 AM »

i suppose i could try to find some way to do this involving js (ala xss), though it would mean what i originally had planned must be scrapped, since i cannot edit the image tag code.

In some cases you don't need to edit the image tag code directly; it all depends on what filters are applied when a file is uploaded.

DM
Logged
Indica
Rookie
**
Offline Offline

Posts: 49


View Profile
« Reply #6 on: April 01, 2008, 05:24:39 AM »

it all depends on what filters are applied when a file is uploaded.

can you elaborate?
Logged
DangerMouse
Expert
****
Offline Offline

Posts: 244



View Profile
« Reply #7 on: April 01, 2008, 05:41:12 AM »

Sure, although this relates to the icky xss side of things so its probably best not to go into too much detail (not that I could lol!) - this is an example of what I was thinking - http://ha.ckers.org/blog/20070603/image-upload-xss/. There are probably some other options for spiking the image upload itself although I'm not too familiar with this kind of thing.

It might be worth looking into the fact you can execute javascript from within image headers, however this only works where the image is loaded directly in the browser i.e. not from the web page context, but from clicking a link directly to the image for example. I've not tried it, but I suspect that this means theres no DOM to manipulate and no way to bust out of the security context of the host so its probably not that usefull.

DM
Logged
Indica
Rookie
**
Offline Offline

Posts: 49


View Profile
« Reply #8 on: April 01, 2008, 05:52:23 AM »

hmm i don't think that method would be applicable here since there's no image uploading really, it's just an hosted on my server that people have included on their site(s).
Logged
svakanda
Expert
****
Offline Offline

Posts: 131



View Profile
« Reply #9 on: June 06, 2008, 04:06:20 PM »

yeah, im pretty sure you need to dive into the icky xss for that to ever work.  we've all been pounding it pretty hard lately...
Logged

a ship is safe in the harbor, but that's not what it's for.
jammaster82
Lifer
*****
Offline Offline

Posts: 666


Thats craigs list for ya


View Profile
« Reply #10 on: June 06, 2008, 11:08:52 PM »

yeah, im pretty sure you need to dive into the icky xss for that to ever work.  we've all been pounding it pretty hard lately...

thats what she said.

 ROFLMAO

Logged

The watched pot, never boils... But if you walk away from it , the soup burns.  What gives?
dbrown
Rookie
**
Offline Offline

Posts: 28


View Profile
« Reply #11 on: July 20, 2008, 01:52:36 PM »

?

Logged
emonk
Rookie
**
Offline Offline

Posts: 44


View Profile
« Reply #12 on: July 21, 2008, 06:40:10 AM »

hello eggheads  ROFLMAO

my latest project has me needing to clean my referrers, as to hide where my traffic is originating from. i've tried simple things, such as passing through a few 302 redirects via header location, no go the ref still gets passed through. i then remembered reading that ssl kills off the ref, so i setup a self-signed cert on my lampp box. unfortunately this didn't seem to work either, i setup a vhost for siteA.com and put a link on it to https://siteB.com, and it still sent the ref.

now for the monkey wrench: i can't do this with any client-side tricks, meaning no js or meta refreshes. the request is coming from an image and css.

any takers? Grin there's got to be a way to do this D'oh!

 Did you try a 301 redirect, a javascript redirect, or a meta-refresh?
Logged
vsloathe
vim ftw!
Global Moderator
Lifer
*****
Offline Offline

Posts: 1669



View Profile
« Reply #13 on: July 21, 2008, 06:54:00 AM »

hello eggheads  ROFLMAO

my latest project has me needing to clean my referrers, as to hide where my traffic is originating from. i've tried simple things, such as passing through a few 302 redirects via header location, no go the ref still gets passed through. i then remembered reading that ssl kills off the ref, so i setup a self-signed cert on my lampp box. unfortunately this didn't seem to work either, i setup a vhost for siteA.com and put a link on it to https://siteB.com, and it still sent the ref.

now for the monkey wrench: i can't do this with any client-side tricks, meaning no js or meta refreshes. the request is coming from an image and css.

any takers? Grin there's got to be a way to do this D'oh!

 Did you try a 301 redirect, a javascript redirect, or a meta-refresh?

When stuffing cookies (which is most likely what he's doing), you have to use an image usually that points to the page. Browsers will not follow refresh redirects, even if they are sent in the header. The only thing a browser will download of an image is enough data to know that it's not what it expects (e.g. until it gets to the Type: header).
Logged

hai
emonk
Rookie
**
Offline Offline

Posts: 44


View Profile
« Reply #14 on: July 21, 2008, 09:01:45 AM »

hello eggheads  ROFLMAO

my latest project has me needing to clean my referrers, as to hide where my traffic is originating from. i've tried simple things, such as passing through a few 302 redirects via header location, no go the ref still gets passed through. i then remembered reading that ssl kills off the ref, so i setup a self-signed cert on my lampp box. unfortunately this didn't seem to work either, i setup a vhost for siteA.com and put a link on it to https://siteB.com, and it still sent the ref.

now for the monkey wrench: i can't do this with any client-side tricks, meaning no js or meta refreshes. the request is coming from an image and css.

any takers? Grin there's got to be a way to do this D'oh!

 Did you try a 301 redirect, a javascript redirect, or a meta-refresh?

When stuffing cookies (which is most likely what he's doing), you have to use an image usually that points to the page. Browsers will not follow refresh redirects, even if they are sent in the header. The only thing a browser will download of an image is enough data to know that it's not what it expects (e.g. until it gets to the Type: header).

 My bad. I missed that part of the original question.
Logged
Pages: [1] 2 3
  Print  
 
Jump to:  

Perkiset's Place Home   Best of The Cache   phpMyIDE: MySQL Stored Procedures, Functions & Triggers
Politics @ Perkiset's   Pinkhat's Perspective   
cache
mart
coder
programmers
ajax
php
javascript
Powered by MySQL Powered by PHP Powered by SMF 1.1.2 | SMF © 2006-2007, Simple Machines LLC
Seo4Smf v0.2 © Webmaster's Talks


Valid XHTML 1.0! Valid CSS!