Referer Spoofing

When a browser or bot requests a webpage, it sends a “Referer” HTTP header containing a URL of the page that they were previously at, if they followed a link there. It is based on a canonized misspelling of the word “referrer”.

So, if you are on website1.com, and you follow a link from there to website2.com, the administrators of website2.com will be able to see you came there from website1.com based on the string that was passed in the Referer header.

To prevent this from happening, you can just configure your browser to send a different Referer, or even no Referer at all!

There are many reasons one might want to consider referer spoofing, which include:

• Some sites bar remote hotlinking or direct access to media, unless the referer string comes from another page on the same site.
• You want to trip up logging, analytics or advertising trackers that are embedded on the sites you are visiting.
• You are fraudulently increasing impressions of paid advertising campaigns.
• You are following links to a target of operations, and want to obscure your origin to said target.
• You are sending a target on a wild goose chase as a form of counterintelligence.
• You are breaking into poorly-coded websites that rely on Referer strings as part of a security measure. (they out there!)
• You are engaging in Referer spam.
• You are engaging in cross-site request forgery attacks.

Note that we do not endorse spoofing your Referer header to commit illegal acts. We are just saying that, in addition to this tactic's use as a genuine privacy tool, professional criminals are also known to make use of it, sometimes to very lucrative & entertaining ends.

Since Referer strings are set on the application level, how to spoof it depends on the type of software you are using. If you have multiple programs, you will have to spoof them all individually:

While by no means an exhaustive list, the following browser extensions have referer spoofing and/or cloaking capabilities.

IMPORTANT NOTE: These extensions have not been fully vetted by the Anonymous Military Institute and should be run with caution. Please inform the Dean if you find any of these to present major security risks!

• https://addons.mozilla.org/en-US/firefox/addon/referercontrol/
• https://addons.mozilla.org/en-US/firefox/addon/referer-modifier/
• https://addons.mozilla.org/en-US/firefox/addon/chameleon-ext/

• https://chromewebstore.google.com/detail/referer-spoofer/khejlgjhghlpadddldphknbnifkahghn
• https://chromewebstore.google.com/detail/kill-the-referrer/bbanejjnomfdapclboglpaldknagccia

If you are using command line utilities to visit, download or scrape web pages, you can usually manually set the Referer string without having to install any additional plugins.

Use the -e or –referer flag to directly set the Referer:

$ curl --referer "http://comes-from.example.com" https://www.example.com
- or -
$ curl -e "http://comes-from.example.com" https://www.example.com

Since the Referer is passed as an HTTP header, you can also change the Referer header by using the -H or –header flag, which lets you manipulate headers:

$ curl --header "Referer: http://comes-from.example.com" https://example.com
- or -  
$ curl -H "Referer: http://comes-from.example.com" https://example.com

Since cURL does not set a Referer by default, there is no reason to make it pass a blank string, as the string is empty already.

To set a custom Referer header with Wget, use the –referer flag:

$ wget --referer="http://comes-from.example.com" https://example.com

Since Wget does not set a Referer by default, there is no reason to make it pass a blank string, as the string is empty already.

For more information on how to use wget, read the Wget article.