bananasplit bananasplit - 1 month ago 9
HTTP Question

How to exploit HTTP header XSS vulnerability?

Let's say that a page is just printing the value of the HTTP 'referer' header with no escaping. So the page is vulnerable to an XSS attack, i.e. an attacker can craft a GET request with a referer header containing something like


But how can you actually use this to attack a target? How can the attacker make the target issue that specific request with that specific header?


This sounds like a standard reflected XSS attack.

In reflected XSS attacks, the attacker needs the victim to visit some site which in some way is under the attacker's control. Even if this is just a forum where an attacker can post a link in the hope somebody will follow it.

In the case of a reflected XSS attack with the referer header, then the attacker could redirect the user from the forum to a page on the attacker's domain.


This page in turn redirects to the following target page in a way that preserves referer.

Because it is showing the referer header on this page without the proper escaping,<script>alert(123)> gets output within the HTML source, executing the alert. Note this works in Internet Explorer only.

Other browsers will automatically encode the URL rendering


instead which is safe.