Reflected XSS via Referer header

In a recent bug bounty engagement, i discovered an XSS via the referer header. The narrative below details the discovery logic.

Background

The referer request header used by the application to map the previous address of a web request that led to the current page being visit. It basically identifies where users are visiting a page from for analytics, caching and logging purposes, among others…

Narrative

After a few minutes of probing the application, a sub menu with a button to add a new client and its matching source address to the application was revealed.

I fired up burp and tampered the request as i clicked this button. Before entering the necessary fields and submitting the form, we can see nothing more than a couple of headers, including the referer header.

Some tests later, i discovered a reflected XSS on the referer header field. The standard alert(“XSS”) did not yield so i tried out a couple of different custom payloads stored on my mth3l3m3nt.

The JavaScript payload javascript:alert(“I am XSS compliant!”) did the trick. On forwarding the request, we see a page with two options, ‘create’ and ‘cancel’.

The cancel button is mapped to the previous page as suspected using a href tag as seen in the source code.

And finally…

I also did:

  • javascript:alert(document.cookie) (popped a session cookie)
  • javascript:alert(document.domain) (pops domain property of document object)
  • javascript:window.location.href=(“https://www.google.com”) (well…)
search previous next tag category expand menu location phone mail time cart zoom edit close