Project & Referer XSS Lab

Discover vulnerabilities in project parameter and Referer header

Dual Vulnerability Challenge

Lab Overview

This lab contains two different XSS vulnerabilities - one in the project parameter with incomplete filtering, and another in the HTTP_REFERER header with no filtering at all.

Visible Challenge: Basic HTML encoding using htmlspecialchars() for both first name and last name parameters.
Vulnerable Parameters: There are multiple vulnerable inputs that can be exploited.
project HTTP_REFERER
Project Parameter Filter: String replacement that blocks specific tags but has limited coverage
Blocked strings:
script Script sCript scRipt scrIpt scriPt scripT SCript SCRipt SCRIpt SCRIPt img image svg audio video body
Filter method: str_replace($arr, '/\/', $_GET['project'])
Referer Header: No filtering applied - directly outputs the Referer header value
Vulnerability: echo $_SERVER['HTTP_REFERER']; - completely unfiltered!
Filter Complexity: Limited Blocklist Filtering

Objective: Exploit both the project parameter filter bypass and the unfiltered Referer header to execute XSS.

Backend Source Code 
if(isset($_GET["fname"]) && isset($_GET["lname"])){
    echo htmlspecialchars($_GET["fname"], ENT_QUOTES);
    echo htmlspecialchars($_GET["lname"], ENT_QUOTES);
}
elseif(isset($_GET["project"])){
    $arr = array('script','Script','sCript','scRipt','scrIpt','scriPt','scripT',
    'SCript','SCRipt','SCRIpt','SCRIPt','img','image','svg','audio','video','body');
    $re = str_replace($arr, '/\/', $_GET['project']);
    echo $re;
}
echo $_SERVER['HTTP_REFERER'];
Test Input Forms
Challenge 1: HTML Encoding (Visible)
This field uses htmlspecialchars() encoding
This field uses htmlspecialchars() encoding
Challenge 2: Project Parameter
Hint: The project parameter uses incomplete filtering. Try alternative HTML tags and attributes.
This parameter uses limited filtering with string replacement
Challenge 3: Referer Header
Hint: The Referer header is completely unfiltered. You need to modify the Referer header to test this vulnerability.
No Referer header set
To test this vulnerability, you need to modify the Referer header using tools like Burp Suite, browser extensions, or cURL.
Challenge 3 Output (Referer Header - Unfiltered)
No Referer header set
Referer header is completely unfiltered - major vulnerability!
Exploitation Techniques
Project Parameter Bypass:
  • Alternative tags: Use <iframe>, <object>, <embed>
  • Event handlers: Use onload, onerror, onclick
  • Uncommon tags: Try <marquee>, <applet>, <isindex>
  • Case variations: Try <SCRIPT> (all uppercase) or mixed case not in filter
  • Alternative attributes: Use src, href, data attributes
Referer Header Testing:
  • Browser Extensions: Use Referer control extensions
  • Burp Suite: Intercept request and modify Referer header
  • cURL: curl -H "Referer: PAYLOAD" URL
  • Python requests: requests.get(url, headers={'Referer': 'PAYLOAD'})
  • Browser Dev Tools: Use fetch API with custom Referer
Security Implications

This lab demonstrates:

  • Incomplete filtering creates security vulnerabilities
  • HTTP headers can be attack vectors for XSS
  • Limited blocklists are easily bypassed
  • Multiple input sources need security validation
  • User-controlled headers should be treated as untrusted input
  • Referer header manipulation is a common attack technique
Best Practices

For secure web applications:

  • Validate and sanitize all user inputs, including headers
  • Use context-aware output encoding
  • Implement Content Security Policy (CSP) headers
  • Treat all HTTP headers as untrusted input
  • Use security headers: X-XSS-Protection, X-Content-Type-Options
  • Conduct comprehensive security testing of all input vectors
Payload Examples
Project Parameter Payloads:
  • <iframe src="javascript:alert(1)">
  • <object data="javascript:alert(1)">
  • <embed src="javascript:alert(1)">
  • <marquee onstart=alert(1)>
  • <details ontoggle=alert(1) open>
  • <select onfocus=alert(1) autofocus>
Referer Header Payloads:
  • <script>alert(1)</script>
  • "><script>alert(1)</script>
  • '><img src=x onerror=alert(1)>
  • <svg onload=alert(1)>
  • javascript:alert(1)
  • <body onload=alert(1)>
Testing Tools & Methods
For Project Parameter:
  • Manual testing: Direct form submission
  • Burp Suite: Intercept and modify GET parameter
  • Browser console: Modify form values dynamically
  • cURL: curl "http://site.com?project=PAYLOAD"
For Referer Header:
  • Burp Suite: Intercept and modify Referer header
  • Browser extensions: Referer control extensions
  • cURL: curl -H "Referer: PAYLOAD" URL
  • Python: Use requests library with custom headers
  • JavaScript: Use fetch API with custom Referer
About Referer Header

The Referer HTTP header contains the address of the previous web page from which a link to the currently requested page was followed.

  • Purpose: Used for analytics, logging, and optimization
  • Security Risk: Can be manipulated by attackers
  • Common Attacks: XSS, CSRF, privacy breaches
  • Protection: Always validate and encode Referer header values
  • Best Practice: Treat Referer as untrusted user input