Isn't the generateToken 'referrer' value supposed to block requests that don't match?

156
0
06-21-2019 01:53 PM
FredSpataro
Occasional Contributor III

Hi All, 

I'm security testing a 10.7 Enterprise deployment and came across a situation that I thought was supposed to be blocked. I thought that if the "referrer" value was set in the generateToken request, that the token would be rejected if the client request's referrer value didn't match.  Am I miss understanding what that value is used for? 

Example:

* Go to: https://<myserver>/portal/sharing/rest/generateToken

   - enter username and password

   - select Webapp URL 

   - enter random web site value

   - click GenerateToken button

   - copy Generated Token value on response

* Open a browser an incognito/in-private browser tab

* Browser to any secured rest services page: ie  https://<myserver>/hosted/rest/services/MyGPTools/GPServer/Tool1

   - Verifiy that service is secured and redirected to portal login page

* Append token to url: ie https://<myserver>/hosted/rest/services/MyGPTools/GPServer/Tool1?token={paste from response}

   - the default browser request does not have a referrer header value so I'm expecting the request to be blocked and redirected back to the login page. But in this test, the REST info display fine and dandy.  ??? 

Maybe I'm simply misunderstanding what this value is used for... 

Thanks 

0 Kudos
0 Replies