Severity : Medium
Complexity : High( Exploitable with old version of IE)
Weakness: Using Referer value is response body
- While Testing one of the private on Hackerone . They have functionality to Embed the articles of their user’s on third party site’s.
- While opening the article’s from third party site’s , Noticed that they have a href called “GO BACK! If it Doesn’t Load’s”
- Checking the go back href :
<a href="http://18.104.22.168/test.html">go back</a>
and try again. If this problem persists, please
<a href="/contact">contact us</a>
<form id=’xx’ name=’exploit’ method=”GET” action="https://site.com/articles/author/embed/112434/"></form>
- When we sent http://22.214.171.124/exploit.html?<script>alert(1);</script> to the victim.
- Referer value get’s set to http://126.96.36.199/exploit.html?<script>alert(1);</script> and by clicking on “GO BACK!” Popup will appear in IE.
- Reason why attack work’s only on IE is Internet Explorer doesn’t filter URL Encode values . Whereas Chrome and Firefox will URL encode the values to
- I would like to thank following blog post http://www.gremwell.com/exploiting_xss_in_referer_header