The HTTP Referer request header value is not filtered out for preventing XSS attack in Microsoft Internet Explorer browsers.
It was believed that it can be exploited only with the help of Browser-based plugins APIs. In Flash, we could use addRequestHeader API.
But the "Referer" header cannot be sent with this API since Adobe Flash Player 9.0.16 and later unless it is permitted in the cross-domain policy file. Until another zeroday is discovered, Referer-based XSS is largely ignored as an unexploitable XSS vector.
This page is a proof-of-concept generator that confirms we don't need to use the above-mentioned trick to accomplish referer-based Xssing. Of course, Microsoft may fix it anytime soon. But it still works at this time of writing, 2012-06-17.
Your browser compatibility:
Keywords: Microsoft Internet Explorer, Referer, referer-based, XSS, Cross Site Scripting
Send your feedback or suggestions to pentest @ yehg dot net.