Internet browsers append the Referer header within most HTTP requests. It is used to indicate the URL of the page from which the current request originated — either because the user clicked a hyperlink or submitted a form, or because the page referenced other resources such as images.
Hence, it can be leveraged as a mechanism for transferring data via the client. Because the URLs processed by the application are within its control, developers may consider that the Referer header can be used to reliably determine which URL generated a particular request.
For example, consider a mechanism that allows users to reset their password. The application asks users to proceed through different steps in a defined sequence before they really reset their password’s value with the following request:
GET /auth/472/CreateUser.ashx HTTP/1.1
Host: mdsec.net
Referer: https://mdsec.net/auth/472/Admin.ashx
The application may use the Referer header to confirm that this request originated from the correct phase (Admin.ashx). If it did, the user can access the requested functionality.
However, because the user controls every part of every request, including the HTTP headers, this control can be simply bypassed by proceeding directly to (CreateUser.ashx) and using an intercepting proxy to modify the value of the Referer header to the value that the application needs.
The Referer header is strictly optional according to w3.org standards. Hence, although most browsers implement it, using it to control application functionality should be regarded as a hack.
