PHP: Spoof HTTP Referer Field With CURL

In this short PHP guide, I will show you how easy it is to spoof the HTTP referer field using cURL. In previous tutorials, I have pointed out how the HTTP_REFERER field cannot be trusted. This is why.

In the code below, we send a simple GET request using Facebook.com as the referer address:

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23

<?php   //Initiate cURL. $ch = curl_init();   //The URL cURL will be sending a request to. curl_setopt($ch, CURLOPT_URL, 'http://test.com/');   //The referer we will give the website above. curl_setopt($ch, CURLOPT_REFERER, 'https://m.facebook.com/');   //Follow any header redirects curl_setopt($ch, CURLOPT_FOLLOWLOCATION, true);   //If there is a redirect, we want to keep the referral URL we //set above. curl_setopt($ch, CURLOPT_AUTOREFERER, true);   //Execute the cURL request. $result = curl_exec($ch);   //Close the cURL handle. curl_close($ch);

An explanation of the code above:

1. We created a cURL handle by using the curl_init function.
2. We set the target to test.com by setting the CURLOPT_URL option.
3. We set the HTTP referer field to m.facebook.com. This means that the server will think that this request was a result of somebody clicking on a link on Facebook.
4. We set CURLOPT_FOLLOWLOCATION to true because we want to following any header redirects that are given to us.
5. We set CURLOPT_AUTOREFERER to true because we don’t want to lose the referer information if a header redirect does take place.
6. Finally, we execute the GET request and close the cURL handle.