So what? It is very difficult to forge referrers from a malicious website, however, with the help of the mod_rewrite apache module it is possible to create referrer strings which contain malicious strings.
The process for exploitation is as follows:
- Create a .htaccess file that specifies a mod rewrite that includes a capture. For example: RewriteRule XSSReferer/(.+)$ /xss_test_referer.htm. This will forward all requests to the XSSReferer directory to xss_test_referer.htm GÇô in this case a page with a link to the target. Note that because mod_rewrite is used the referrer is NOT xss_test_referer.htm but the originally entered url.
- Visit the virtual RewriteRule with a malicious string. An example for IE7 is http://www.md5-db.com/XSSReferer/'style=xx:expression(alert(1));othervar=' which will display a standard XSS test and probably crash your browser.
Note that this is far harder to exploit in Firefox. This is because of the way the URLs are encoded, making it very difficult to inject anything other than a style tag and, as mentioned in my previous post, Firefox does not yet support loading of XBL documents without a fragment identifier.
To protect against this type of injection you should always filter ANY input passed directly to the page... even HTTP headers.