PHP: Spoof HTTP referer field with cURL.

In this short PHP guide, I will show you how easy it is to spoof the HTTP referer field using cURL. In previous tutorials, I have pointed out how the HTTP_REFERER field cannot be trusted. This is why.

In the code below, we send a simple GET request using Facebook.com as the referer address:

An explanation of the code above:

  1. We created a cURL handle by using the curl_init function.
  2. We set the target to test.com by setting the CURLOPT_URL option.
  3. We set the HTTP referer field to m.facebook.com. This means that the server will think that this request was a result of somebody clicking on a link on Facebook.
  4. We set CURLOPT_FOLLOWLOCATION to true because we want to following any header redirects that are given to us.
  5. We set CURLOPT_AUTOREFERER to true because we don’t want to lose the referer information if a header redirect does take place.
  6. Finally, we execute the GET request and close the cURL handle.

If were the owner of test.com and you printed the $_SERVER[‘HTTP_REFERER’] variable out on to the page, it would read “https://m.facebook.com/”

See how easy that was?

Facebook Comments