In this short PHP guide, I will show you how easy it is to spoof the HTTP referer field using cURL. In previous tutorials, I have pointed out how the HTTP_REFERER field cannot be trusted. This is why.
In the code below, we send a simple GET request using Facebook.com as the referer address:
$ch = curl_init();
//The URL cURL will be sending a request to.
curl_setopt($ch, CURLOPT_URL, 'http://test.com/');
//The referer we will give the website above.
curl_setopt($ch, CURLOPT_REFERER, 'https://m.facebook.com/');
//Follow any header redirects
curl_setopt($ch, CURLOPT_FOLLOWLOCATION, true);
//If there is a redirect, we want to keep the referral URL we
curl_setopt($ch, CURLOPT_AUTOREFERER, true);
//Execute the cURL request.
$result = curl_exec($ch);
//Close the cURL handle.
An explanation of the code above:
- We created a cURL handle by using the curl_init function.
- We set the target to test.com by setting the CURLOPT_URL option.
- We set the HTTP referer field to m.facebook.com. This means that the server will think that this request was a result of somebody clicking on a link on Facebook.
- We set CURLOPT_FOLLOWLOCATION to true because we want to following any header redirects that are given to us.
- We set CURLOPT_AUTOREFERER to true because we don’t want to lose the referer information if a header redirect does take place.
- Finally, we execute the GET request and close the cURL handle.
If were the owner of test.com and you printed the $_SERVER[‘HTTP_REFERER’] variable out on to the page, it would read “https://m.facebook.com/”
See how easy that was?