Cross Domain Referrer Leakage
It is my first writeup so please ignore the mistakes.
I was searching for a program where I can test my skills and finally got it, I can’t disclose the program name so I will call it “target”.
I tried all my skills on finding IDOR, CSRF, XSS etc. but it is secured. Then I go to password reset area, user enumeration & victim flooding is out of scope. Finally I go for Cross Domain referrer Leakage.
What is Cross Domain Referrer Leakage?
I am here to discuss how to reproduce it, not for discussing what this vulnerability is, so for understanding that you can read this:
Cross-domain Referer leakage
When a web browser makes a request for a resource, it typically adds an HTTP header, called the "Referer" header…
Steps to Reproduce:
- Go to Password Reset area and send forget password link to your email address.
- Copy the password reset link and paste in browser to which Burp-suite is configured.
- Now turn on the intercept and capture the request.
- First check for referrer header, then check for password reset link in that header. If you find link in referrer header then check host.
- If there is complete password reset link including token, and host is third party website, it is vulnerability.
I reported this to target website and finally get a reward of 300 USD :)