Sign Up to our social questions and Answers Engine to ask questions, answer people’s questions, and connect with other people.
Login to our social questions & Answers Engine to ask questions answer people’s questions & connect with other people.
Lost your password? Please enter your email address. You will receive a link and will create a new password via email.
Please briefly explain why you feel this question should be reported.
Please briefly explain why you feel this answer should be reported.
Please briefly explain why you feel this user should be reported.
I had an idea while I was working on some PHP code. Usually, if a user is searching for a website on google and clicks on a link, the referer (in this case google, including search strings, etc.) the visiting website is getting this information.
do you think it is possible to create an attack vector out of the referal information? like: what could you do, if you know that the referer is maybe a site like paypal.com?
I’m looking forward to read your ideas about it!
Yes, this is generally possible. The URL could contain sensitive information that is only meant for the visiting user of the origin web site.
An often mentioned example is the session ID that is used to identify the user’s session. If that session ID is leaked to a third party, the third party can try to use that session (known as Session Hijacking). That’s why many web sites use a so called defererrer to strip out any possibly sensitive information when linking to third party sites.