Open
Description
According to the URL specification, the Referer
header must not contain URL fragments (the part of the URL beginning with #
). However, in practice many clients will simply copy the current URL into the Referer
header. Since web servers have to allow fragments in the Referer
header, this opens the door to attacks in the fragment part (we already detect attacks in the path and query parts of URLs in the Referer
header).
We should add a new rule that targets the fragment part or URLs in the Referer
header only and applies RCE detection as 932205 does to path and query.
See also the discussion in #3485.