Leakage of Sensitive Data from Referer Header

kratsolab - Leakage of Sensitive Data from Referer Header
kratsolab - Leakage of Sensitive Data from Referer Header

Sensitive data leakage via referer header to the external domain may result in severe consequences. Talking about the leakage of sensitive data via referer header, we actually mean the leakage of URL with sensitive data via referer header (for example, password reset link). In case of inappropriate use, password reset link can be really handy for attackers.


Password Reset Link

When a user forgets his password, he/she requests a password reset link. Then the link is sent to a user’s email address, and once the user clicks this link, he/she will be directed to the password reset page. Now let’s consider the link. Here the most important part is the token. If someone can get access to that token, he/she can use that to change the user’s password.



Let’s consider such scenario: user receives password reset link and follows that link . Now let’s assume that in password reset page we have an image loaded from an external domain. To fetch this image the browser sends a request to the external domain. Moreover, the information where this request originated from is sent by the browser in the referer header. In other words, when the browser is fetching the image, it sends a user’s password reset link in referer header to that external domain from which it  fetched image. Moreover, this is an automatic process.


Fixing the Problem

As you have seen in the previous example, the leakage via referer header happens when application fetches something from the external domain. So, to prevent this case, it is important not to fetch from any external domain, but to host file on your domain. This will prevent the sensitive link from sending to an external domain.