I recently found myself on the receiving end of a transparent proxy. It wasn't a nefarious hacking attempt, simply a product demonstration from a partner's potential vendor, but it was disconcerting. Another website was pretending to be my company's site and if this site could do it, anybody could, potentially jeopardizing our customers’ personal data. After all, our customers think they're logging into our site, but somebody else is creating a proxy and potentially altering the information in transit, putting anything that they enter on our site in jeopardy.
I stumbled on the issue through a happy coincidence: my site generates an email when a request looks like it has been forged. As a simple anti-request forgery measure, I use the synchronizer token pattern and when this method fails, I send myself the details of the request. It looks something like this:
CSRF Failed POST @ domain.com/path Referer: domain.com/path-two Request History: * GET @ domain.com/login * GET @ domain.com User Agent: UASTRING
What I noticed, though, was that the domains weren't matching up. As far as my server was concerned, it was behaving as it should, but the referers were all wrong!
To remedy this, I compare what the browser thinks the domain is against what the
the page in the form of the