HTTP Referer

Re: HTTP Referer

WhiteAcid — Fri, 06 Oct 2006 12:13:36 -0500

oh. lol. hehehe.

Re: HTTP Referer

rsnake — Fri, 06 Oct 2006 11:46:23 -0500

I was making a joke about him hosting XSS on his intranet so that your flash file might have some "extra" stuff in it so that you can start reading stuff from his intranet. It's just a joke - you need sleep.

Re: HTTP Referer

WhiteAcid — Thu, 05 Oct 2006 19:38:17 -0500

Quote

And if you do that, you are risking that his XSS doesn't use the XSS you built in that localhost function to know a lot more about whatever you have running on localhost. ;)

I'm sorry... I know it's 1:35am here, but that just makes no sense to me.

I had deliberately left the 127.0.0.1 bit in these, assuming he'd code that on his localhost. No way would I host a file like that on my site. Note that I do have one file vulnerable to XSS (deliberately so). It was made ages ago to teach some people the basics of XSS.

Re: HTTP Referer

rsnake — Thu, 05 Oct 2006 19:28:35 -0500

And if you do that, you are risking that his XSS doesn't use the XSS you built in that localhost function to know a lot more about whatever you have running on localhost. ;)

But WhiteAcid would NEVER do that. ;)

Anyway, to answer your question beyond those two methods there really isn't any good way other than some browsers just don't send referrers, if you have one of those you can trap them and make them do something else. But yah, those are the three good ways.

Re: HTTP Referer

WhiteAcid — Thu, 05 Oct 2006 19:03:33 -0500

Well... using flash you can set it to a blank value, but this is IE only.
As an example, create a file called show_ref.php and make it contain:

, then load http://www.whiteacid.org/misc/xss_headers.php?xss_target=http://127.0.0.1/show_ref.php&Referer= in IE and click the submit button, voila, you've loaded a page without a referer.

HTTP Referer

bburg — Thu, 05 Oct 2006 14:17:16 -0500

Does anyone know if there is a way to force the client's browser to strip its referer information? I know that you can do this with a META redirect, and possibly JavaScript, but what if these aren't an option? Thanks!