webappsec March 2012 archive
Main Archive Page > Month Archives  > webappsec archives
webappsec: Re: Help with referer issues in XSS

Re: Help with referer issues in XSS

From: Yuping Li <lyp20062392_at_nospam>
Date: Wed Mar 07 2012 - 04:35:49 GMT
To: "Ward, Jon" <Jon_Ward@syntelinc.com>, ray.bradbury9@gmail.com, stefano.dipaola@wisec.it

Hi,

Thanks for all your response. The premise of my situation is that
there is a XSS bug in the site, and I want to utilize this vul to do
something more, for example, forge some post requests in my js code,
you may recall the glorious "Samy" story here. But the server is now
checking the referer field of any request, and the expected referer
should be like this: http://(www.)example.com(/xxx).

And can't be:
1, no referer
2, (example.com.***).attack.com/...

 Until last second, I came to realize that the host part in the
referer field can only be http://(www.)example.com, and the request
will fail if the referer contain some sort of "xss attempt", but I can
only launch the post requests in the xssed page which means the xss
attempt will inevitable be contained in the referer field of a normal
request. Of course I can set it with firefox addons, but there is no
point here.

Seems if there is no programming way to set my own referer of my post
request and their xss detecting techniques of referer are good enough,
I may have no hope.

Yuping

This list is sponsored by Cenzic
--------------------------------------
Let Us Hack You. Before Hackers Do!
It's Finally Here - The Cenzic Website HealthCheck. FREE.
Request Yours Now!
http://www.cenzic.com/2009HClaunch_Securityfocus
--------------------------------------