I found out that there is a reflected XSS on the
/register.php endpoint through the vulnerable
ref parameter which leads to account takeover.
Steps to reproduce
If you open the following link and hover your mouse over on
Return to the previous page the XSS executes:
An attacker can craft a payload to steal cookies (due to no
httponly cookie attribute), an example of such payload is:
http://attacker.com is the attacker's domain, opening the above link and hovering the mouse on
Return to previous page results in a redirection to the attacker's domain and the cookies will be sent over to the attacker's server in the URL.
No user-interaction payload
I also built a payload that works without any user interaction, the following payload works on all browsers except for firefox:
http://firstbloodhackers.com/register.php?ref='id='x' tabindex='1' autofocus onfocus='alert(document.cookie)
An attacker can craft a payload to steal cookies (due to no httponly cookie attribute), an example of such payload is:
http://attacker.com is the attacker's domain, opening the above link can result in the redirection of the victim to an attacker's domain and leaking the
drps cookie along with it.
An attacker can set this cookie on his browser to access
This happens because of two cookies misconfiguration:
Cookies are not set as
Cookies are not deleted/expired as they meant to be after logging out, which makes it possible for an attacker to re-use the cookies whenever he wants to.
Set-Cookie: drps=deleted; expires=Thu, 01-Jan-1970 00:00:01 GMT; Max-Age=0; path=/
ref parameter should not be controlled by users.
- Preferably set