Research Academy
My account Customers About Blog Careers Legal Contact Resellers
The Burp Suite User Forum was discontinued on the 1st November 2024.

Burp Suite User Forum

For support requests, go to the Support Center. To discuss with other Burp users, head to our Discord page.

SUPPORT CENTER DISCORD

Scanner Is it a bug? "Cross-domain Referer leakage" is reported despite no sensitive data in the "Referer" header, why?

jungletsubasa | Last updated: Sep 11, 2024 01:14AM UTC

Hi team, Need some clarifications on this scanner category "Cross-domain Referer leakage". My client needs to use this burp pro scanner feature. Burp Pro scanner reports "Cross-domain Referer leakage" even no sensitive data in the "Referer" header. example ``` GET /stripethirdparty-srv/assets/v21.6/HCaptchaInvisible.html?id=3baad298-f576-445f-99c4-1fdcd13c0c2d&origin=https%3A%2F%2Fjs.stripe.com HTTP/2 Host: b.stripecdn.com User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:129.0) Gecko/20100101 Firefox/129.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/png,image/svg+xml,*/*;q=0.8 Accept-Language: ja,en-US;q=0.7,en;q=0.3 Accept-Encoding: gzip, deflate, br Dnt: 1 Sec-Gpc: 1 Referer: https://js.stripe.com/ HTTP/2 200 OK Content-Type: text/html; charset=utf-8 Content-Length: 419 Date: Last-Modified: Cache-Control: max-age=60, stale-while-revalidate=900 Accept-Ranges: bytes Server: Cloudfront Strict-Transport-Security: max-age=31556926; includeSubDomains; preload Timing-Allow-Origin: * X-Content-Type-Options: nosniff Content-Security-Policy: base-uri 'self'; connect-src 'self' https://hcaptcha.com https://*.hcaptcha.com https://errors.stripe.com; default-src 'self'; form-action 'none'; frame-src https://hcaptcha.com https://*.hcaptcha.com; img-src 'self'; object-src 'none'; script-src 'self' https://hcaptcha.com https://*.hcaptcha.com; style-src 'self' https://hcaptcha.com https://*.hcaptcha.com; worker-src 'none'; report-uri https://q.stripe.com/csp-report <!doctype html><html><head><script src="https://hcaptcha.com/1/api.js?onload=captchaLoad&render=explicit" async defer="defer"> ``` burp pro scanner highlights <!doctype html><html><head><script src="https://hcaptcha.com/1/api.js?onload=captchaLoad&render=explicit" async defer="defer"> and reports as "Cross-domain Referer leakage", why? Tested with curl and adding sensitive data in the "Referer" header but burp pro passive scanner does not flag it, why? ``` curl --path-as-is -i -s -k -X $'GET' \ -H $'Host: example.com' -H $'User-Agent: any Chrome' -H $'Accept: */*' -H $'Referer: https://google.com/any?access_token=eydafsdkfslfsjkdakjdjka' \ $'https://example.com/' ``` How "Cross-domain Referer leakage" works? other ticket with the same category here https://forum.portswigger.net/thread/cross-domain-referer-leakage-is-reported-despite-referrerpolicy-attribute-cea92fe6 definition says ``` When a web browser makes a request for a resource, it typically adds an HTTP header, called the "Referer" header, indicating the URL of the resource from which the request originated. This occurs in numerous situations, for example when a web page loads an image or script, or when a user clicks on a link or submits a form. If the resource being requested resides on a different domain, then the Referer header is still generally included in the cross-domain request. If the originating URL contains any sensitive information within its query string, such as a session token, then this information will be transmitted to the other domain. If the other domain is not fully trusted by the application, then this may lead to a security compromise. You should review the contents of the information being transmitted to other domains, and also determine whether those domains are fully trusted by the originating application. ``` which is different from what burp pro scanner identifies. https://portswigger.net/kb/issues/00500400_cross-domain-referer-leakage can you please help? Thank you!

Dominyque, PortSwigger Agent | Last updated: Sep 11, 2024 09:32AM UTC