--- layout: post status: publish published: true title: JavaScript Referer Scripts XSS Injection wordpress_id: 293 wordpress_url: http://pro.grammatic.org/post-javascript-referer-scripts-xss-injection-5.aspx date: !binary |- MjAwNy0wNS0xNSAxMzo1MjowNiArMDIwMA== date_gmt: !binary |- MjAwNy0wNS0xNSAxMzo1MjowNiArMDIwMA== categories: - Technology - InfoSec tags: - information security - mod_rewrite - XSS comments: [] ---
Many sites use JavaScript methods to inject a hidden form field into 404 pages to trace the original page that points to the invalid link. An example of this can be found at http://www.yaldex.com/FSPageDetails/_404Referrer.htm. The attentive observer will spot that this method of writing the field injects the HTTP referrer directly into the page without any sanitization.
So what? It is very difficult to forge referrers from a malicious website, however, with the help of the mod_rewrite apache module it is possible to create referrer strings which contain malicious strings.
The process for exploitation is as follows:
Note that this is far harder to exploit in Firefox. This is because of the way the URLs are encoded, making it very difficult to inject anything other than a style tag and, as mentioned in my previous post, Firefox does not yet support loading of XBL documents without a fragment identifier.
To protect against this type of injection you should always filter ANY input passed directly to the page... even HTTP headers.