Trackbacks, Who Is Linking You and where you should pay attention

Michael Schwarz on Wednesday, April 11, 2007

Today I opened the turkish version of Google [1] and did a search for something I cannot remember. The thing was that I didn't hit enter, instead I clicked on the button Google'da Ara. What I noticed then was that the ' was not correct url encoded. Hm, nothing you have to care about. But after clicking on a link to a blog from the search results I found the same wrong url encoded url in the who is linking me section. While reading the page I had the idea to do some more testing with the apostrophe (or a quote).

There are a lot of web sites using the http referer information to add links to such who is linking me section. I think in about 90% they are using the original string that is sent from the web server in the http header. If this information does include some JavaScript it would be possible to simple add some bad code to the web site. The same problem occurs if you are using the http referer from your logfiles or any request without having a look on it in detail.

I prepared some urls that where embedded later on some blogs as trackbacks. When logged-in users opened that page it was possible to get privacy data from their accounts or running any action under their user credential. This is possible because you can run any XHR GET or POST due the user is in the same origin policy as the web page itselft. Maybe I have time tomorrow (it is already 2:30 in the night and I have to sleep, now) to put a demo online to show you how easy this is possible.

A lot of common blog engines, content managment systems or other type of blogging software have this problem, it is not a Google related problem. I talked with Dan about this security vulnerability and how to avoid this. Yes, Google could parse any request and redirect to the same correct url encoded location. But the correct way is not trust the http referer and do any character encoding on your side. Maybe web browsers could do some better url encoding, too. With Internet Explorer it seems to work sometimes and other times it fails.


Never trust something could be modified by a web browser request. The http referer could be modified to anything else, it must not be a correctly url encoded string. If you use the Fiddler tool you could change that in seconds, and not only that. Think about it like you have done with SQL injection.