Background
Suppose we have an application that generates a "Back" link from Referer header
<?php echo '<a href="';
echo $_SERVER['HTTP_REFERER'];
echo '">Back</a>\n'; ?>
The value of the Referer HTTP header is copied into a JavaScript string which is encapsulated in referer page back link . The payload Referer: javascript:prompt(xss); was submitted in the Referer HTTP header. This input was store on page back link when user click back link, xss will be triggered.
Testing
We can inject HTML and JavaScript if we can set the Referer header. This can be done when the victim visit the attacker's page.
Consider the following is in attacker's page
<form id="test1" name="test1" method="GET" action="http://victimsite.com/main.php"> </form> <script> document.getElementById("test1").submit(); </script>
The victim is tricked to visit the attacker site http://attackersite.com/xss.php/"><script>alert(1);</script>
This will become the referral back link as it was redirected to victim website, and the xss payload is echoed as referred backlink on the victim site there by the xss payload triggered.
Post a Comment