Referer Based XSS

Arbaz Hussain
2 min readJul 30, 2017

Severity : Medium

Complexity : High( Exploitable with old version of IE)

Weakness: Using Referer value is response body

  • While Testing one of the private on Hackerone . They have functionality to Embed the articles of their user’s on third party site’s.
  • While opening the article’s from third party site’s , Noticed that they have a href called “GO BACK! If it Doesn’t Load’s”
  • Checking the go back href :
<a href="">go back</a>
and try again. If this problem persists, please
<a href="/contact">contact us</a>
  • Exploit.html
<form id=’xx’ name=’exploit’ method=”GET” action=""></form>
  • When we sent<script>alert(1);</script> to the victim.
  • Referer value get’s set to<script>alert(1);</script> and by clicking on “GO BACK!” Popup will appear in IE.
  • Reason why attack work’s only on IE is Internet Explorer doesn’t filter URL Encode values . Whereas Chrome and Firefox will URL encode the values to
  • They have Fixed By using javascript:history.back() :