Using RefControl

Continuing on with my web application penetration testing series I will now go into the usage of RefControl. RefControl is useful in checking referrer-based exploits, such as CSRF.


RefControl allows you to specify the referrer for a site when you view it. Accessed either from the Tools->RefControl options is the global list of all rules for all sites that you have set. Access from the right clicking menu are the current settings for the site you are visiting. If you have set no rules, you will be able to add in a new rule.

After selecting the RefControl options for the current site, you are able to add in your custom referer, send no referer, or have RefControl automatically send the root of the current site.

What use is this? With the tidal wave of CSRF exploits being found a tool that can help find these would be welcomed with open arms. This is where RefControl enters the domain. While referrer checking is not a hardened safe guard against CSRF many site still employ its use.  By setting RefControl’s custom referrer to an off-site referrer you are able to check forms and links with GET variables simply by interacting as you normally would. If the request goes through, that form or link should be inspected further. Sites using only Token Key Pairs might be vulnerable to this method of probing, but not vulnerable to CSRF itself. This is why it is important to continue inspecting after said vulnerability is found, rather than simply accepting it as a vulnerability.

Another interesting permutation of RefControl is setting the custom referrer to include SQL characters. Many sites check referrers and store then in a database for analytic purposes and this allows the penetration tester to check if those inputs are being validated also.

About samurai

I like computers... A lot. So I tend to spend a lot of time doing varied things with them. Often you'll find me playing with Python or PHP, fighting with operating systems, ranting about some off-the-wall concept, or preparing for zombies.
This entry was posted in SamuraiNet Archive and tagged , , , , , , . Bookmark the permalink.

3 Responses to Using RefControl

  1. So are you going to link to the refcontrol site or do I have to google it? :P

    I’m assuming is correct?

  2. admin says:

    Yes. It was listed in the first post of this section.

  3. Uber0n says:

    Sometimes sites store unfiltered referrers in .htm (or similiar) log files, which can be used to run XSS against the admins who check the logs ;)

Leave a Reply

Your email address will not be published. Required fields are marked *