In a recent bug bounty engagement, i discovered an XSS via the referer header. The narrative below details the discovery logic.
The referer request header used by the application to map the previous address of a web request that led to the current page being visit. It basically identifies where users are visiting a page from for analytics, caching and logging purposes, among others…
After a few minutes of probing the application, a sub menu with a button to add a new client and its matching source address to the application was revealed.
I fired up burp and tampered the request as i clicked this button. Before entering the necessary fields and submitting the form, we can see nothing more than a couple of headers, including the referer header.
Some tests later, i discovered a reflected XSS on the referer header field. The standard alert(“XSS”) did not yield so i tried out a couple of different custom payloads stored on my mth3l3m3nt.
The cancel button is mapped to the previous page as suspected using a href tag as seen in the source code.
I also did: