Fiddler Xss

/ Comments off

According to Wikipedia, “Referer spoofing is the sending of incorrect referer information in an HTTP request in order to prevent a website from obtaining accurate data on the identity of the web page previously visited by the user.

In other words, making a server think that requests are coming from anywhere we want.

MSRC Notification

MSRC Notification

The original PoC sent to MSRC was using iframes, but their rejection made me come back to find something easier. Either way, the referer-spoof works essentially as in the original proof of concept.

Date: Jul 14, 8:47AM (GMT-3)

This list of notable fiddlers shows some overlap with the list of violinists since the instrument used by fiddlers is the violin. Fiddler provides all of the rich functionality of a good Web/HTTP proxy. With Fiddler you can capture all HTTP traffic, intercept and modify, replay requests, and much much more. Fiddler provides the HTTP proxy framework for Watcher to work in, allowing for seamless integration with today’s complex Web 2.0 or Rich Internet Applications.

From: Manuel Caballero
To: [email protected]

Hey fellas! Attached you have a working PoC with an XSS-Filter bypass […]

1) Inject an iFrame on the vulnerable URL.
2) Load the vulnerable inside the iFrame but this time, with the script you want to execute.

Now, this happens because IE/Edge disable the filter when the requests come from the same-domain referrer […]

It’s easy to load inside the iFrame the vulnerable URL because IE/Edge has many problems regarding referrers.

It’s quite easy (check the PoC) to emulate essentially, any referrer we want. […]

Date: Jul 14, 5:29PM (GMT-3)
From: [email protected]
To: Manuel Caballero

Hello, Thank you for contacting the Microsoft Security Response Center (MSRC)[…] but filter bypasses themselves are not considered to be vulnerabilities.




The referer is an HTTP header that allows a site to identify where the request is coming from. For example, if we search for “MS Edge” in Google and click on the first organic link, the browser will navigate to sending as the referer. Microsoft will know that we are coming from Google because the referer is sent by the browser when doing the request.

The referer is not only sent when clicking on a link but also on every resource that is requested. If we load a webpage (say, that renders two images and an iframe, all those requests will carry the referer in the http header. The requests will look like this:

  1. Main page ( with an empty referer. The browser leaves it blank when we directly type the URL into the address bar.
  2. Two images. Both with as the referer.
  3. One iframe also with as the referer.

Let’s watch that closely while capturing traffic using Fiddler Web Debugger. A simple html with two images side by side and an iframe below them.

Now check out the Fiddler log below with the request numbers matching the ones of the images/iframe above. In the first row we have the request number, then Host/URLs and in the last one, referers. To make this clearer I deleted a few lines (requests 1, 6 and 7) from the Fiddler log, as those were unrelated to our task.

Look below how request #2 has an empty referer because its the URL that we typed in the address bar, with no referer at all. Then come requests #3 and #4 where both have as the referer. Finally request #5 also with

But what happens after that? Why is that all requests starting from #8 have as the referer? It’s because those images/scripts are being requested by and not magicmac, even if the top URL is magicmac. Keep in mind that the referer is always the Host/URL that generates the request. Karaka bhava nasha. is inside an iframe and all requests that is doing are coming from, not magicmac. Who is requesting those scripts and images?

If this explanation is unclear I suggest you read this Wikipedia article which is better written and more detailed.

Basic uses of the http referer on the web

  • A server wants to prevent other sites requesting images from itself. This is called Hotlinking.
  • A website wants to serve premium content only to a specific HTTP referer. This happens a lot with videos/tutorials served from Vimeo. They are accessible only when the browser referer comes from a particular host. In other words, if you know the “secret” host and how to change your referer, you can get all that content for free.
  • Browsers disable the XSS Filter leaving the site naked against XSS or CSRF attacks. What? Oh yes. IE/Edge allow a site to “auto-xss” itself. In other words, those browsers will literally disable the XSS filter if the referer of the request comes from the same domain. No worries if unclear, we will see this in a bit.

Creating vulnerable samples

Let’s create a couple of php scripts: one with a referer check to serve “premium content” and another vulnerable to XSS attacks.

The script below is serves premium content only to requests coming from, otherwise it says you are not authorized.

echo'This is your premium content because you are coming from: '.$host;
echo'You are not authorized to view this page';

[ Try it Live! ]

The page returned a “not authorized” message because the referer is brokenbrowser, not nature. But no worries, we will bypass this soon. Let’s see now a site that is vulnerable to XSS attacks.


[ Try it Live! ]

The code injection failed thanks to the XSS filter. No hurries, we will bypass this in a second.

Referer spoof – How to do it

The problem that both Edge and IE have is quite simple: when changing the location of the top window using JavaScript, the referer will be the previous URL instead of the host that change it. Check below, easier reading the code than my English explanation:


[ Try it Live! ]

Fooled! Microsoft Edge (and IE) mistakenly passed as the referer when it was just the previous page. Remember: the referer should be the URL that initiated the request, not the previous page. In the example above, we opened a window on nature and immediately changed -via scripting- its location. The referer should have been the URL of the script that changed its location which in this case is also Want to try it again? Let’s make think that we are coming from Paypal.


[ Try it Live! ]

XSS Filter Bypass – How to do it

Bug hunter, I’m pretty confident of your awareness on the mechanics of the XSS filter of IE/Edge, but just in case, remember that it is literally disabled on pages where the referer host equals the host of the rendered page. So this will be pretty simple: we open any URL that belongs to the host of the vulnearable page, and then we change the location XSSing it straight! If we want to attack then we will emulate-spoof as the referer and then, XSS it. Let’s give it a try. Remember the vulnerable page above?


We tried to inject a script there but failed because the XSS filter blocked it. But let’s fool the referer and make this work!

6'');// Referer Spoofer
// Successful code injection

Fellow bug hunter, I hope you will continue playing with this. The history and location objects have other bugs waiting to be found. Play with them and the vulnerabilities will come to you!

Have fun and ping me if you have questions!

Part of a series on
Fiddle and Violin
Violin acoustics
History of the violin
Musical styles
Violin technique
Violin construction
Violin family

This list of notable fiddlers shows some overlap with the list of violinists since the instrument used by fiddlers is the violin.

Alphabetical by last name[edit]

Name of fiddlerNationalityGenre(s)
Joseph AllardCanadianFrench-Canadian
Ruby AllmondAmericanCountry
Darol AngerAmericanJazz
Jason AnickAmericanJazz
Gilles ApapFrenchIrish, Gypsy, bluegrass
John ArcandCanadianMétis
Svend AsmussenDanishJazz
Aly BainShetlandScottish, Shetland
Dewey BalfaAmericanCajun
Kenny BakerAmericanBluegrass
Andrew BaxterAmericanBlues
Randal BaysAmericanIrish
Donald Angus BeatonCanadianCape Breton
Kinnon BeatonCanadianScottish Celtic
Miri Ben-AriIsraeliHip-hop
Émile BenoîtCanadianNewfoundland
Byron BerlineAmericanBluegrass
Norman BlakeAmericanOld time, bluegrass
Sedra BistodeauAmericanOld time
Tracy BonhamAmericanAlternative rock
Robert BowlinAmericanBluegrass
Charlie BowmanAmericanOld-time
Bus BoykAmericanOld-time, country
Polly BradfieldAmericanJazz
Cecil BrowerAmericanWestern swing
Kevin BurkeAmericanIrish
Sam BushAmericanBluegrass
Hanneke CasselAmericanScottish, Texas style
Paddy CannyIrishIrish
Jean CarignanCanadianFrench-Canadian
Andy CarlsonAmericanBluegrass
Gaither CarltonAmericanAppalachian, Old time
Frankie GavinIrishIrish
Ernie CarpenterAmericanAppalachian, old time
French CarpenterAmericanAppalachian, old time
Shelt CarpenterAmericanAppalachian, old time
Liz CarrollAmericanIrish
Fiddlin' John CarsonAmericanAppalachian, old time
Eliza CarthyEnglishEnglish
Hanneke CasselAmericanBluegrass, Scottish, other
Angus ChisholmCanadianCape Breton
Harry ChoatesAmericanCajun
Vassar ClementsAmericanBluegrass, country, jazz
Michael ClevelandAmericanBluegrass
Julia CliffordIrishIrish traditional
Charlie ClineAmericanBluegrass
Michael ColemanIrishIrish
Brian ConwayAmericanIrish
Sharon CorrIrishIrish
J. P. CormierCanadianBluegrass
Papa John CreachAmericanRock, blues
Randy CrouchAmericanBlues, country, rock
Chris DaringAmericanTexas
Charlie DanielsAmericanSouthern US rock
Junior DaughertyAmericanWestern swing, country, traditional
Andy de JarlisCanadianMétis
Vernon DerrickAmericanBluegrass, Country
Michael DoucetAmericanCajun
Tommy DoucetCanadianAcadian
Barry DransfieldEnglishEnglish, folk
Casey DriessenAmericanBluegrass, Scottish
DSharpAmericanClassical, electronic dance music, hip hop
Stuart DuncanAmericanBluegrass
Mark EvittsAmericanPop Country, Bluegrass
Mark FeldmanAmericanJazz
Winston FitzgeraldCanadianCape Breton
Fleenor, JeneeAmericanBluegrass
Henry FlyntAmericanClassical hillbilly
Canray FontenotAmericanCreole
Curly FoxAmericanCountry
Howdy ForresterAmericanTexas show-style
Alasdair FraserScottishScottish
D'Jalma GarnierAmericanCreole
Rayna GellertAmericanOld time
Manoj GeorgeIndianIndian classical music, World fusion, Indian blues
Johnny GimbleAmericanTexas swing, bluegrass
Matt GlaserAmericanJazz, bluegrass
Michael GormanIrishIrish
G. B. GraysonAmericanOld time
Richard GreeneAmericanBluegrass
Clinton GregoryAmericanBluegrass, country
Petra HadenAmericanAlternative rock
Theron HaleAmericanOld time
Ed HaleyAmericanOld time
Bella HardyEnglishEnglish folk
John HartfordAmericanOld time, bluegrass, country
Martin HayesIrishIrish
Sid HarkreaderAmericanOld time
Aubrey HaynieAmericanBluegrass
Bobby HicksAmericanBluegrass
Daniel Hoffman (violinist)American-IsraeliKlezmer
Jerry HollandCanadianCape Breton
Bob HoltAmericanOld time
Tommy HunterAmericanAppalachian
Eileen IversAmericanIrish
Jana JaeAmericanCountry, Bluegrass
Tommy JarrellAmericanAppalachian
Ramona JonesCountryOld time
Michael KangKoreanBluegrass
Patrick KellyIrishIrish
Doug KershawAmericanCajun
Clark KessingerAmericanOld time
Carla KihlstedtAmericanJazz
Paddy KilloranIrishIrish
Tim KliphuisDutchJazz
Peter KnightEnglishFolk and jazz
Kenny KosekAmericanBluegrass
Gundula KrauseGermanBluegrass, cajun, folk, folk-rock
Alison KraussAmericanBluegrass
Michelle LambertAmericanPop
Donal LeahyCanadianCape Breton
Andy LeftwichAmericanBluegrass
Brad LeftwichAmericanOld time
Ray LegereCanadianBluegrass
Chris LeslieEnglishElectric folk
Laurie LewisAmericanBluegrass, old-time
Annbjørg LienNorwegianNorwegian
Didier LockwoodFrenchJazz
Benjamin F. LoganAmericanBluegrass
Julie Lyonn LiebermanAmericanBlues, jazz, American and world roots styles
Sandy MacIntyreCanadianCape Breton
Ashley MacIsaacCanadianCape Breton
Buddy MacMasterCanadianCape Breton
Natalie MacMasterCanadianCanadian
Mack MagahaAmericanBluegrass
Martie MaguireAmericanCountry/Bluegrass
J. E. MainerAmericanAppalachian, old time
Benny MartinAmericanBluegrass
Dennis McGeeAmericanCajun
Sean McGuireIrishIrish
Clayton McMichenAmericanAppalachian, old time
French MitchellAmericanAppalachian, old time
Don MesserCanadianMaritime, folk, old time
Bruce MolskyAmericanAppalachian
Patrick MoranCanadianSliabh Luachra
Denis MurphyIrishIrish traditional
Sierra NobleCanadianMétis, Celtic, old time, folk, jazz
Máiréad NesbittIrishCeltic
Mark O'ConnorAmericaBluegrass, folk, classical
Padraig O'KeeffeIrishIrish
Caoimhín Ó RaghallaighIrishIrish
Uncle Charlie OsborneAmericanOld time, Appalachian
Peter OstroushkoAmericanAmericana, folk
Sixto PalavecinoArgentinianArgentinian folk
Una PalliserIrishIrish
Tommy PeoplesIrishIrish
Katie PetersenAmericanBluegrass
Jean-Luc PontyFrenchJazz
Tommy PottsIrishIrish
Bridget ReganAmericanIrish punk
Juan ReynosoMexicanTierra Caliente
Bonnie RideoutAmericanScottish
Laura RiskAmericanScottish, French-Canadian
Fiddlin' Doc RobertsAmericanOld time
Eck RobertsonAmericanOld time
Posey RorerAmericanOld time
Jonathan 'Jazz' RussellAmericanJazz
Joel SavoyAmericanCajun
Oliver SchroerCanadianComposer, various genres
Ricky SkaggsAmericanCountry, bluegrass
Nicky SandersAmericanBluegrass
Dinesh SubasingheSriLankanPop classical, Celtic, folk
Ruby Jane SmithAmericanBluegrass
Buddy SpicherAmericanBluegrass
Uncle Bunt StephensAmericanOld time
Lee StriplingAmericanOld time
Uncle Am StuartAmericanOld time
Brenda StubbertCanadianCape Breton
Alicia SvigalsAmericanKlezmer
Dave SwarbrickEnglishEnglish folk
Gid TannerAmericanAppalachian, old time
Gordon TerryAmericanBluegrass
Benny ThomassonAmericanTexas, old time
Uncle Jimmy ThompsonAmericanOld time
Kathryn TickellEnglishNorthumbrian
Graham TownsendCanadianOttawa Valley
Jay UngarAmericanWaltzes, swing
Jim Van CleveAmericanBluegrass
Joe VenutiAmericanJazz
Calvin VollrathCanadianMétis
Sara WatkinsAmericanBluegrass
Jenny WilhelmsFinnishFolk
Benny WilliamsAmericanBluegrass
Claude WilliamsAmericanJazz
Bob WillsAmericanTexas swing
Melvin WineAmericanAppalachian
Chubby WiseAmericanBluegrass
Joel ZifkinCanadianFolk, rock, blues, abstract

By style[edit]

North American[edit]

Canadian styles[edit]

Down East
Canadian folk
French Canadian/Acadian
Ottawa Valley
Cape Breton

West Coast

  • Kierah Raymond

Mexican styles[edit]

Tierra Caliente

US styles[edit]

  • Papa John Creach (also rock)
  • Julie Lyonn Lieberman (also jazz, American and world roots styles)
  • Randy Crouch (also country, rock)
  • Darol Anger (also jazz)
  • Vassar Clements (also country, jazz)
  • Jana Jae (also country)
  • Gundula Krause (also Cajun, folk, folk-rock)
  • Mark O'Connor (also classical, folk)
  • Sara Watkins (also alternative)
  • Gundula Krause (also bluegrass, folk, folk-rock)
  • Vassar Clements (also bluegrass, jazz)
  • Randy Crouch (also blues, rock)
  • Jana Jae (also bluegrass)
Country rock
Old time
  • Lee Stripling (also Western swing)
Western swing
  • Lee Stripling (also old time)

European fiddling styles[edit]

Romani (Gypsy)
  • Gilles Apap (also Irish)

Irish styles[edit]

Irish Celtic
  • Gilles Apap (also Gypsy, experimental)
Sliabh Luachra
Irish punk

Jewish styles[edit]


Norwegian styles[edit]


UK styles[edit]

Fiddler Xss
Scottish Celtic
  • Aly Bain (also Shetland)
  • Angus Chisholm(also Cape Breton)

Sri Lankan fiddle style[edit]

Trans-regional styles[edit]


Traditional folk
  • Mark O'Connor (also bluegrass, Cajun, folk-rock)


Fiddler Xss Testing

  • Vassar Clements (also country, bluegrass)
  • Boyd Tinsley (also rock)


  • Papa John Creach (also blues)
  • Randy Crouch (also country, blues)
  • Nicky Sanders (also bluegrass)
  • Boyd Tinsley (also jazz)
  • Manoj George (also World fusion & Indian blues)

Fiddler Xss Plugin

Retrieved from ''