FirstBlood-#150 — Reflected xss on login.php
This report has been reviewed and accepted as a valid vulnerability on FirstBlood!
On 2021-05-10, 0xblackbird reported:
Hello! I have found another open redirect on
/login.php that I could leverage to reflected xss. It only needs one single click from the victim to fire. I was also able to takeover the victim's account by stealing cookies.
Steps to reproduce
/login.php?ref=ja%0avascript:confirm%60%60 and click on Return to previous page
- Now to go for account takeover, we can just put the cookies in a url as a path/parameter value and redirect to it. Here is a little Proof of Concept:
- All we have to do now is make sure our victim visits our malicious link and he/she will end up losing the account.
Same here, I re-used the parameter
ref and got reflection. When I first injected
java%0ascript:confirm%60%60 and java got removed. So I went ahead and tried to place the %0a between ja and va, and of cours this one worked! I also found other bypasses such as
Thanks for the fun and very realistic challenge!
This report has been publicly disclosed for everyone to view
FirstBlood ID: 3
Vulnerability Type: Reflective XSS
Respect Earnt: 1500000
is an experimental cryptocurrency based on the Ethereum blockchain with the mission to show respect to those who deserve it. We are testing it out on our FirstBlood hackevent.