InformAction Forums

NoScripters and WebSec nerds of all lands, unite!
https://forums.informaction.com/

Does ABE Anonymize strip referer

https://forums.informaction.com/viewtopic.php?t=17225

Page 1 of 1

Does ABE Anonymize strip referer

Posted: Wed Oct 02, 2013 3:45 pm
by skkukuk
2 questions:

1) Does ABE Anonymize strip the referer header?

2) Does ABE get control before HttpFox or after?

The reason I ask is that HttpFox is showing the referer on a request that I thought should be cleaned by Anonymize.

If ABE doesn't clean the referer header out, that would explain it.

If it does, but ABE gets control after HttpFox, it would explain why HttpFox is showing the referer. In that case, is there something else that can show the output after ABE gets involved?

Thanks!

Re: Does ABE Anonymize strip referer

Posted: Wed Oct 02, 2013 11:16 pm
by Thrawn
skkukuk wrote:1) Does ABE Anonymize strip the referer header?
I doubt it. It's not about privacy; it's about preventing CSRF attacks.

Actually, stripping the Referer header would make you more vulnerable to such attacks, because some sites check the header as a defence. It's not a good defence, but it can work in some cases, and I doubt ABE throws it away.
2) Does ABE get control before HttpFox or after?
I'm not sure about that one. Giorgio would know.
All times are UTC
Page 1 of 1

Powered by phpBB® Forum Software © phpBB Limited