User Tools

Site Tools

diy:referrer-spoofing

Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revisionPrevious revision
diy:referrer-spoofing [2025/09/30 22:44] – external edit 127.0.0.1diy:referrer-spoofing [2025/10/11 12:05] (current) Humphrey Boa-Gart
Line 1: Line 1:
-====== Referrer Spoofing ====== +#redirect diy:referer-spoofing
- +
-When a browser or bot requests a webpage, it sends a "Referer" [[tools:http-headers|HTTP header]] containing a URL of the page that they were previously at, if they followed a link there. It is based on a canonized misspelling of the word //"referrer"//+
- +
-So, if you are on //website1.com//, and you follow a link from there to //website2.com//, the administrators of //website2.com// will be able to see you came there from //website1.com// based on the string that was passed in the Referer header. +
- +
-To prevent this from happening, you can just configure your browser to send a different Referer, or even no Referer at all! +
- +
- +
-===== Why It's Important ===== +
- +
-There are many reasons one might want to consider referer spoofing, which include: +
- +
-  * Some sites bar remote hotlinking or direct access to media, unless the referer string comes from another page on the same site. +
-  * You want to trip up logging, analytics or advertising trackers that are embedded on the sites you are visiting. +
-  * You are fraudulently increasing impressions of paid advertising campaigns. +
-  * You are following links to a target of [[:op|operations]], and want to obscure your origin to said target. +
-  * You are sending a target on a [[hazards:red-herring|wild goose chase]] as a form of counterintelligence. +
-  * You are breaking into poorly-coded websites that rely on Referer strings as part of a security measure. //(they out there!)// +
-  * You are engaging in [[wp>Referer spam]]. +
-  * You are engaging in [[tactics:csrf-attack|cross-site request forgery]] attacks. +
- +
-Note that we do not endorse spoofing your Referer header to commit illegal acts. We are just saying that, in addition to this tactic's use as a genuine privacy tool, professional criminals are also known to make use of it, sometimes to very lucrative & entertaining ends. +
- +
- +
-===== Application-Specific Instructions ===== +
- +
-Since Referer strings are set on the application level, how to spoof it depends on the type of software you are using. If you have multiple programs, you will have to spoof them all individually: +
- +
- +
-==== Web Browsers ==== +
- +
-While by no means an exhaustive list, the following **browser extensions** have referer spoofing and/or cloaking capabilities. +
- +
-//**IMPORTANT NOTE:** These extensions have not been fully vetted by the **Anonymous Military Institute** and should be run with caution. Please inform the [[user:generowl|Dean]] if you find any of these to present major security risks!// +
- +
- +
-=== Firefox === +
- +
-  * [[https://addons.mozilla.org/en-US/firefox/addon/referercontrol/]] +
-  * [[https://addons.mozilla.org/en-US/firefox/addon/referer-modifier/]] +
-  * [[https://addons.mozilla.org/en-US/firefox/addon/chameleon-ext/]] +
- +
- +
-=== Brave & Chrome === +
- +
-  * [[https://chromewebstore.google.com/detail/referer-spoofer/khejlgjhghlpadddldphknbnifkahghn]] +
-  * [[https://chromewebstore.google.com/detail/kill-the-referrer/bbanejjnomfdapclboglpaldknagccia]] +
- +
- +
- +
- +
-==== Terminal Utilities ==== +
- +
-If you are using [[tools:bash|command line]] utilities to visit, download or scrape web pages, you can usually manually set the Referer string without having to install any additional plugins. +
- +
- +
-=== cURL === +
- +
-Use the ''-e'' or ''--referer'' flag to directly set the Referer: +
- +
-  $ curl --referer "http://comes-from.example.com" https://www.example.com +
-  - or - +
-  $ curl -e "http://comes-from.example.com" https://www.example.com +
- +
-Since the Referer is passed as an [[tools:http-headers|HTTP header]], you can also change the Referer header by using the ''-H'' or ''--header'' flag, which lets you manipulate headers: +
- +
-  $ curl --header "Referer: http://comes-from.example.com" https://example.com +
-  - or -   +
-  $ curl -H "Referer: http://comes-from.example.com" https://example.com +
- +
-Since cURL does not set a Referer by default, there is no reason to make it pass a blank string, as the string is empty already. +
- +
- +
-=== Wget === +
- +
-To set a custom Referer header with Wget, use the ''--referer'' flag: +
- +
-  $ wget --referer="http://comes-from.example.com" https://example.com +
- +
-Since Wget does not set a Referer by default, there is no reason to make it pass a blank string, as the string is empty already. +
- +
-For more information on how to use ''wget'', read the [[tools:wget|Wget article]]. +
- +
- +
-{{tag>Tutorials Security}}+
diy/referrer-spoofing.txt · Last modified: by Humphrey Boa-Gart

Find this page online at: https://bestpoint.institute/diy/referrer-spoofing