1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Is this enough to fake my HTTP Referrer??

Discussion in 'Black Hat SEO' started by MarketerX, Mar 14, 2015.

  1. MarketerX

    MarketerX Regular Member

    Joined:
    Mar 7, 2010
    Messages:
    404
    Likes Received:
    121
    Hey all, just a quick question before I start a campaign. I have a link on Site A, leading to Site B (email submit affiliate link). I don't want Site B to ever see Site A in their refferer logs.

    So, I created an intermediate Site C. On Site C, I have this very simply PHP + Javascript.

    Code:
    <html>
    <body>
    <?php
        if ($_GET["token"] == "secret") {
            echo "<script>";
            echo "window.location.href = "http://afflinkhere.com";
            echo "<script>"
        } 
    ?>
    </body>
    <html>
    
    So, if I access Site C and append the secret parameter ?token="secret", it will redirect too my affiliate link, showing Site C instead of Site A as the referrer. Accessing Site C without the secret token means the redirect will never happen. Also PHP is hidden from View Source, so someone cannot go to Site C and see the code above.

    Is this all correct and leak proof? I believe all major browsers support this code.

    Clicking thanks button on best answer.
     
    Last edited: Mar 14, 2015
  2. MarketerX

    MarketerX Regular Member

    Joined:
    Mar 7, 2010
    Messages:
    404
    Likes Received:
    121
    Really hope I get a response, it's an important question to ask before I start sending BH traffic to my aff link. I noticed I haven't been getting many answers on BHW these days, are these forums still active?
     
  3. MarketerX

    MarketerX Regular Member

    Joined:
    Mar 7, 2010
    Messages:
    404
    Likes Received:
    121
    45 views and no response on a legit question. I'm gonna assume noone knows and just go with this method, I'm pretty sure it will work with no leaks. I have tested a bit and it seems to work, but wanted to verify...
     
  4. jamie3000

    jamie3000 Supreme Member

    Joined:
    Jun 30, 2014
    Messages:
    1,371
    Likes Received:
    624
    Occupation:
    Finance coder looking for semi-retirement
    Location:
    uk
    Yes that seems fine to me. The true http referrer should be hidden. You may want to consider blocking link indexing spiders so they can't see your secret link from site a to the js redirect site. Redirect meta tag is also another option :)
     
    • Thanks Thanks x 1
    Last edited: Mar 14, 2015
  5. MarketerX

    MarketerX Regular Member

    Joined:
    Mar 7, 2010
    Messages:
    404
    Likes Received:
    121
    Great tip jamie, thank you :)

    P.S. I know there are some syntax errors in the original code, just typed it up really fast.

    One thing I'm noticing, it is sending the param token=secret with the referrer, is this why some scripts use self posting forms echo'd through PHP? Because I can't have the parameter sent with the referrer.
     
  6. d4mn1t

    d4mn1t Newbie

    Joined:
    Feb 15, 2012
    Messages:
    18
    Likes Received:
    5
    Using this technique doesn't hide referrer on all browsers. Each browser works different for some you have to use double meta refresh for some javascript location redirect is good and others need php header location. I found that most browsers drops referrer when you use form submit in the blank iframe. But still there are exceptions so you need to test them as much as you can. My suggestion use form submit will be best for you.
     
    • Thanks Thanks x 1
  7. MarketerX

    MarketerX Regular Member

    Joined:
    Mar 7, 2010
    Messages:
    404
    Likes Received:
    121
    Hi d4mn1t, thanks for your response. When testing, should I be redirecting to a php page I own which echos the referrer? Because that's what I'm doing, and it seems to be working. I still need to implement and test the self posting form, but most scripts I've seen seem to use that method. And blanking the referrer before faking is good advice.
     
  8. d4mn1t

    d4mn1t Newbie

    Joined:
    Feb 15, 2012
    Messages:
    18
    Likes Received:
    5
    You can use php script to test referrer other good option is to press f12 in your browser and look at the net window you can see headers there and if referrer is not blank it will show it there. Test only major browsers firefox, chrome, ie, opera. Also some of them works different on mobile. It all depends what traffic you are or will receive. But if you want to never let them see just be sure that every situation is tested :) Also you could use some service look in google for that "blank referrer" or remove referrer there are plenty of them just don't know which is the best. As I have tested some of them they weren't perfect.
     
    • Thanks Thanks x 1
  9. MarketerX

    MarketerX Regular Member

    Joined:
    Mar 7, 2010
    Messages:
    404
    Likes Received:
    121
    Yeah I'd rather not use a 3rd party service or outdated script too do this, I think it is safest if it's done and tested by myself :) Does blanking using the double meta refresh work on all browsers? If so, blanking can be my safety net.
     
  10. d4mn1t

    d4mn1t Newbie

    Joined:
    Feb 15, 2012
    Messages:
    18
    Likes Received:
    5
    No double meta refresh doesn't work on all browsers. Can't say on which it works and which one not but you can test it :) As I said before there isn't a one method for all but best is form post in iframe.
     
  11. seapunk

    seapunk Registered Member

    Joined:
    Dec 28, 2014
    Messages:
    85
    Likes Received:
    20
    Just pass through https:// ??