by Anshuman    May 23, 2019

This is the demonstration of Cross-Site Scripting attack in referer header, I’ll be using bWAPP and bWAPP is a buggy web application and we can use to test various vulnerabilities in the web.

bWAPP Official Link:- http://www.itsecgames.com/

Now please choose Cross-site-Scripting — Reflected (Back Button) from the drop-down menu and click Hack.

What is referer header?

It’s an HTTP header field which contains the address of the previous web page from which the currently requested page was followed.

So in this demo, when I will press the back button it will go back to the portal page. Because our demo page was requested by the portal page so that when I press the back button, in the HTTP referer header the portal page link was defined as a referer.

So in order to inject our payload, we need to intercept the HTTP request of these two pages so that we can inject our payload to the HTTP Referer header.

To intercept the request we can use Burp suite.

What is Burp Suite?

Burp suite is a graphical tool which is used to test Web application security and by the help of this tool, we can identify the vulnerability in the web.

If you want to know more about this tool then you can visit their official website. Portswigger.

So to intercept the first request go to the proxy tab and click on the intercept button to start intercepting the HTTP request.

And now go to the portal page and choose again Cross-site-Scripting — Reflected (Back Button) and click Hack.

And now open burp suite to see the intercept details.

As you can see we got the header details of the portal page and to check next page header details just click on the forward button so that it will forward the request to the next page.

So click on the forward button until you reach to "xss_back_button.php" page.

So now as you can see here we got the HTTP header details of back button page and if you check the Referer header then you can see the URL of the portal page because this page was requested by the portal.php page.

So to test our payload first let’s try a simple string let’s say "This is a buggy referer header" and click forward.

As you can see the intercepted message reflecting on view page source so now we can inject JavaScript payload.

So let’s go to the burp suite and turn off the intercept. And follow the same steps again to intercept the request.

Now let’s inject our payload but in this payload, we can’t write <script> tag because it’s already inside onClick method so first, you need to terminate the previous statement and write the current payload.

;alert('This is a buggy referer header');

And click forward go back to the webpage so now if I’ll click on the back button then our payload should work.

As you can see we are able to inject JavaScript payload to the referer header.

How do we prevent this attack?

1.User input needs to be encoded in the HTTP header and developer can implement filters which will eliminate any scripting tags.

2.And in some cases, X-XSS-Protection header can prevent some level of XSS (cross-site-scripting) attacks as it’s an add-on to the browsers to sanitize HTML responses.

I hope you guys like this post-bye bye for now.

Happy Hacking :)

BUG BOUNTY