Referer Based XSS

Referer Based XSS | by Arbaz Hussain - Freedium Milestone: 20GB Reached We’ve reached 20GB of stored data — thank you for helping us grow! Patreon Ko-fi Liberapay Close < Go to the original Referer Based XSS Severity : Medium Arbaz Hussain Follow ~2 min read · July 30, 2017 (Updated: May 15, 2018) · Free: Yes Complexity : High( Exploitable with old version of IE) Weakness: Using R eferer value is response body While Testing one of the private on Hackerone . They have functionality to Embed the articles of their user's on third party site's. While opening the article's from third party site's , Noticed that they have a href called "GO BACK! If it Doesn't Load's" Checking the go back href : go back and try again. If this problem persists, please contact us Exploit.html

When we sent http://54.147.92.2/exploit.html? to the victim. Referer value get's set to http://54.147.92.2/exploit.html? and by clicking on "GO BACK!" Popup will appear in IE. Reason why attack work's only on IE is Internet Explorer doesn't filter URL Encode values . Whereas Chrome and Firefox will URL encode the values to http://54.147.92.2/exploit.html? %3Cscript%3Ealert(1)%3B%3C%2Fscript%3E I would like to thank following blog post http://www.gremwell.com/exploiting_xss_in_referer_header They have Fixed By using javascript:history.back() : #web-development Reporting a Problem Sometimes we have problems displaying some Medium posts. If you have a problem that some images aren't loading - try using VPN. Probably you have problem with access to Medium CDN (or fucking Cloudflare's bot detection algorithms are blocking you).