Response Processors: CSRF Processor: Incident - HTTP Referers Disabled

Complexity: Suspicious (1.0)

Default Response: None.

Cause: The HTTP protocol provides support for a special header called the "referer" (misspelled on purpose). This header tells the webserver where the user just came from. So if the user visits google and follows a link from google to get to another page, the request for that second page will contain a "referer" of "http://". Some browsers provide the option to turn off automatic transmission of the "referer" header. This would make it impossible for websites to identify the page the user came from. This incident is triggered whenever a user accesses the website with referers disabled. This is not necessarily a malicious act, as it could be the result of an excessively paranoid legitimate user, but it is also somewhat unusual and is often a technique employed by malicious users.

Behavior: Hackers will often disable the referer header to make it more difficult to monitor and analyze an attack through the traditional HTTP log files. Many webservers will record the URL the user is accessing, as well as the referer that was submitted. As such, by disabling referers, the hacker is able to eliminate a large percentage of the information collected about the attack.