Referer Based XSS

Severity : Medium

Complexity : High( Exploitable with old version of IE)

Weakness: Using Referer value is response body

  • While Testing one of the private on Hackerone . They have functionality to Embed the articles of their user’s on third party site’s.
  • While opening the article’s from third party site’s , Noticed that they have a href called “GO BACK! If it Doesn’t Load’s”
  • Checking the go back href :
<a href="">go back</a>
and try again. If this problem persists, please
<a href="/contact">contact us</a>
  • Exploit.html
<form id=’xx’ name=’exploit’ method=”GET” action=""></form>
  • When we sent<script>alert(1);</script> to the victim.
  • Referer value get’s set to<script>alert(1);</script> and by clicking on “GO BACK!” Popup will appear in IE.
  • Reason why attack work’s only on IE is Internet Explorer doesn’t filter URL Encode values . Whereas Chrome and Firefox will URL encode the values to
  • They have Fixed By using javascript:history.back() :



Security Analyst

Love podcasts or audiobooks? Learn on the go with our new app.

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store