In a recent bug bounty engagement, i discovered an XSS via the referer header. The narrative below details the discovery logic.
Background
The referer request header used by the application to map the previous address of a web request that led to the current page being visit. It basically identifies where users are visiting a page from for analytics, caching and logging purposes, among others…
Narrative
After a few minutes of probing the application, a sub menu with a button to add a new client and its matching source address to the application was revealed.
I fired up burp and tampered the request as i clicked this button. Before entering the necessary fields and submitting the form, we can see nothing more than a couple of headers, including the referer header.
Some tests later, i discovered a reflected XSS on the referer header field. The standard alert(“XSS”) did not yield so i tried out a couple of different custom payloads stored on my mth3l3m3nt.
The JavaScript payload javascript:alert(“I am XSS compliant!”) did the trick. On forwarding the request, we see a page with two options, ‘create’ and ‘cancel’.
The cancel button is mapped to the previous page as suspected using a href tag as seen in the source code.
And finally…
I also did:
- javascript:alert(document.cookie) (popped a session cookie)
- javascript:alert(document.domain) (pops domain property of document object)
- javascript:window.location.href=(“https://www.google.com”) (well…)