-
Notifications
You must be signed in to change notification settings - Fork 80
Referrer source
Ohpe edited this page Jan 29, 2016
·
1 revision
The following table shows how direct call of document.referrer are natively treated:
| Source | browser | version | pathInfo | Search | Hash | output sample |
|---|---|---|---|---|---|---|
document.referrer |
IE 8 | 8 | 33 (!), 38 (&), 39 ('), 40 ((), 41 ()), 42 (*), 43 (+), 44 (,), 45 (-), 46 (.), 47 (/), 58 (:), 59 (;), 61 (=), 64 (@), 91 ([), 93 (]), 95 (_), 126 (~), [128 - 255]
|
1, 2, 3, 4, 5, 6, 7, 8, 11, 12, 14, 15, 16, 17, 18, 19, 20, 21, 22, 23, 24, 25, 26, 27, 28, 29, 30, 31, 32 ( ), 33 (!), 34 ("), 38 (&), 39 ('), 40 ((), 41 ()), 42 (*), 43 (+), 44 (,), 45 (-), 46 (.), 47 (/), 58 (:), 59 (;), 60 (<), 61 (=), 62 (>), 63 (?), 64 (@), 91 ([), 92 (\), 93 (]), 94 (^), 95 (_), 96 (`), 123 ({), 124 (|), 125 (}), 126 (~), [127 - 255]
|
none | http://host/path/to/page.ext/test;test?test; |
document.referrer |
Firefox | 3.6.15 - 4 | 33 (!), 37 (%), 38 (&), 40 ((), 41 ()), 42 (*), 43 (+), 44 (,), 45 (-), 46 (.), 47 (/), 58 (:), 59 (;), 61 (=), 64 (@), 91 ([), 92 (\), 93 (]), 94 (^), 95 (_), 123 ({), 124 (` |
), 125 (}), 126 (~`) |
33 (!), 37 (%), 38 (&), 40 ((), 41 ()), 42 (*), 43 (+), 44 (,), 45 (-), 46 (.), 47 (/), 58 (:), 59 (;), 61 (=), 63 (?), 64 (@), 91 ([), 92 (\), 93 (]), 94 (^), 95 (_), 123 ({), 124 (|), 125 (}), 126 (~) |
None |
document.referrer |
Chrome | 6.0.472.53 beta | 33 (!), 37 (%), 38 (&), 39 ('), 40 ((), 41 ()), 42 (*), 43 (+), 44 (,), 45 (-), 46 (.), 47 (/), 58 (:), 59 (;), 61 (=), 64 (@), 91 ([), 93 (]), 95 (_), 126 (~) |
33 (!), 37 (%), 38 (&), 39 ('), 40 ((), 41 ()), 42 (*), 43 (+), 44 (,), 45 (-), 46 (.), 47 (/), 58 (:), 59 (;), 61 (=), 63 (?), 64 (@), 91 ([), 92 (\), 93 (]), 94 (^), 95 (_), 96 (`), 123 ({), 124 (|), 125 (}), 126 (~) |
None | http://host/path/to/page.ext/test;test?test; |
document.referrer |
Opera | 10.61 | 33 (!), 37 (%), 38 (&), 39 ('), 40 ((), 41 ()), 42 (*), 43 (+), 44 (,), 45 (-), 46 (.), 47 (/), 58 (:), 59 (;), 61 (=), 64 (@), 91 ([), 93 (]), 94 (^), 95 (_), 96 (`), 123 ({), 124 (|), 125 (}), 126 (~), [127 - 255]
|
33 (!), 37 (%), 38 (&), 39 ('), 40 ((), 41 ()), 42 (*), 43 (+), 44 (,), 45 (-), 46 (.), 47 (/), 58 (:), 59 (;), 61 (=), 63 (?), 64 (@), 91 ([), 93 (]), 94 (^), 95 (_), 123 ({), 124 (|), 125 (}), 126 (~) |
None | http://host/path/to/page.ext/test;test?test; |
(To Be Finished with Safari tests)
Important Note
As shown here Internet Explorer allows special characters in the hostname. That is an attacker could setup a DNS wildcard and create entry for hostnames like the following:
">host<img%20src=s%20onerror=alert(1)>.attacker.com
If we suppose a JavaScript code like the following:
with(document)
write('<sc'+"ript src="http://Host/image.gif?t="+c+"r="+(referrer.split("/")[2])+"></sc"+'ript>');it can be easily seen that, according to what has been said, the code is exploitable.
- Home
- Sources
-
Sinks
- Direct Execution Sinks
- Set Object Sinks
- HTML Manipulation Sinks
- Style Sinks
- XMLHttpRequest Sink
- Set Cookie Sink
- Set Location Sink
- Control Flow Sink
- [Use of Equality And Strict Equality](Use of Equality And Strict Equality)
- Math.random Sink
- JSON Sink
- XML Sink
- [Common JavaScript libraries](Common JavaScript libraries)
- String Manipulation Methods
- Local DOMXSS
- Finding DOMXSS
- Object Shadowing
- Filters
- Glossary
- References