TheReferrerSource - domxsswiki - Dom Xss Test Cases Wiki Cheatsheet Project

‹‹

››

Introduction
Sources

Sinks

Execution Sinks
Set Object Sinks
HTMLElement Sinks
Style Sinks

cssText Sink

XMLHttpRequest Sink
Set Cookie Sink
Set Location Sink
Control Flow Sink
Use of Equality And Strict Equality
Math.random Sink
JSON Sink
XML Sink
Common JavaScript libraries

jQuery

TheReferrerSource

ToBeCompletedWithSafariTests

Updated May 17, 2011 by stefano....@gmail.com

The Referrer Source

The following table shows how direct call of

document.referrer

are natively treated:

Source	browser	version	pathInfo	Search	Hash	output sample
document.referrer	IE 8	8	33 (`!`), 38 (`&`), 39 (`'`), 40 (`(`), 41 (`)`), 42 (`*`), 43 (`+`), 44 (`,`), 45 (`-`), 46 (`.`), 47 (`/`), 58 (`:`), 59 (`;`), 61 (`=`), 64 (`@`), 91 (`[`), 93 (`]`), 95 (`_`), 126 (`~`), `[`128 - 255`]`	1, 2, 3, 4, 5, 6, 7, 8, 11, 12, 14, 15, 16, 17, 18, 19, 20, 21, 22, 23, 24, 25, 26, 27, 28, 29, 30, 31, 32 ( ), 33 (`!`), 34 (`"`), 38 (`&`), 39 (`'`), 40 (`(`), 41 (`)`), 42 (`*`), 43 (`+`), 44 (`,`), 45 (`-`), 46 (`.`), 47 (`/`), 58 (`:`), 59 (`;`), 60 (`<`), 61 (`=`), 62 (`>`), 63 (`?`), 64 (`@`), 91 (`[`), 92 (`\`), 93 (`]`), 94 (`^`), 95 (`_`), 96 (`), 123 (`{`), 124 (`\|`), 125 (`}`), 126 (`~`), `[`127 - 255`]`	none	http://host/path/to/page.ext/test%3Ca%22%27%0A%60=%20+%20%3E;test%3Ca%22%27%0A%60=%20+%20%3E?test%3Ca%22%27%0A%60=%20+%20%3E;
document.referrer	Firefox	3.6.15 - 4	33 (`!`), 37 (`%`), 38 (`&`), 40 (`(`), 41 (`)`), 42 (`*`), 43 (`+`), 44 (`,`), 45 (`-`), 46 (`.`), 47 (`/`), 58 (`:`), 59 (`;`), 61 (`=`), 64 (`@`), 91 (`[`), 92 (`\`), 93 (`]`), 94 (`^`), 95 (`_`), 123 (`{`), 124 (`\|`), 125 (`}`), 126 (`~`)	33 (`!`), 37 (`%`), 38 (`&`), 40 (`(`), 41 (`)`), 42 (`*`), 43 (`+`), 44 (`,`), 45 (`-`), 46 (`.`), 47 (`/`), 58 (`:`), 59 (`;`), 61 (`=`), 63 (`?`), 64 (`@`), 91 (`[`), 92 (`\`), 93 (`]`), 94 (`^`), 95 (`_`), 123 (`{`), 124 (`\|`), 125 (`}`), 126 (`~`)	None	http://host/path/to/page.ext/test%3Ca%22'%0A%60=%20+%20%3E;test%3Ca%22'%0A%60=%20+%20%3E?test<a"'%0A`=%20+%20>;
document.referrer	Chrome	6.0.472.53 beta	33 (`!`), 37 (`%`), 38 (`&`), 39 (`'`), 40 (`(`), 41 (`)`), 42 (`*`), 43 (`+`), 44 (`,`), 45 (`-`), 46 (`.`), 47 (`/`), 58 (`:`), 59 (`;`), 61 (`=`), 64 (`@`), 91 (`[`), 93 (`]`), 95 (`_`), 126 (`~`)	33 (`!`), 37 (`%`), 38 (`&`), 39 (`'`), 40 (`(`), 41 (`)`), 42 (`*`), 43 (`+`), 44 (`,`), 45 (`-`), 46 (`.`), 47 (`/`), 58 (`:`), 59 (`;`), 61 (`=`), 63 (`?`), 64 (`@`), 91 (`[`), 92 (`\`), 93 (`]`), 94 (`^`), 95 (`_`), 96 (`), 123 (`{`), 124 (`\|`), 125 (`}`), 126 (`~`)	None	http://host/path/to/page.ext/test%3Ca%22'%0A%60=%20+%20%3E;test%3Ca%22'%0A%60=%20+%20%3E?test%3Ca%22'%0A`=%20+%20%3E;
document.referrer	Opera	10.61	33 (`!`), 37 (`%`), 38 (`&`), 39 (`'`), 40 (`(`), 41 (`)`), 42 (`*`), 43 (`+`), 44 (`,`), 45 (`-`), 46 (`.`), 47 (`/`), 58 (`:`), 59 (`;`), 61 (`=`), 64 (`@`), 91 (`[`), 93 (`]`), 94 (`^`), 95 (`_`), 96 (`), 123 (`{`), 124 (`\|`), 125 (`}`), 126 (`~`), `[`127 - 255`]`	33 (`!`), 37 (`%`), 38 (`&`), 39 (`'`), 40 (`(`), 41 (`)`), 42 (`*`), 43 (`+`), 44 (`,`), 45 (`-`), 46 (`.`), 47 (`/`), 58 (`:`), 59 (`;`), 61 (`=`), 63 (`?`), 64 (`@`), 91 (`[`), 93 (`]`), 94 (`^`), 95 (`_`), 123 (`{`), 124 (`\|`), 125 (`}`), 126 (`~`)	None	http://host/path/to/page.ext/test%3Ca%22'%0A`=%20+%20%3E;test%3Ca%22'%0A`=%20+%20%3E?test%3Ca%22'%0A%60=%20+%20%3E;

(To Be Finished with Safari tests)

Important Note

As shown here Internet Explorer allows special characters in the hostname. That is an attacker could setup a DNS wildcard and create entry for hostnames like the following:

">host<img%20src=s%20onerror=alert(1)>.attacker.com

If we suppose a JavaScript code like the following:

with(document)
 write('<sc'+"ript src="http://Host/image.gif?t="+c+"r="+(referrer.split("/")[2])+"></sc"+'ript>');

it can be easily seen that, according to what has been said, the code is exploitable.

► Sign in to add a comment