FirstBlood-#150 — Reflected xss on login.php
This issue was discovered on FirstBlood v1
On 2021-05-10, 0xblackbird Level 5 reported:
Hello! I have found another open redirect on
/login.phpthat I could leverage to reflected xss. It only needs one single click from the victim to fire. I was also able to takeover the victim's account by stealing cookies.
Steps to reproduce
/login.php?ref=ja%0avascript:confirm%60%60and click on Return to previous page
- Now to go for account takeover, we can just put the cookies in a url as a path/parameter value and redirect to it. Here is a little Proof of Concept:
- All we have to do now is make sure our victim visits our malicious link and he/she will end up losing the account.
Same here, I re-used the parameter
refand got reflection. When I first injected
java%0ascript:confirm%60%60and java got removed. So I went ahead and tried to place the %0a between ja and va, and of cours this one worked! I also found other bypasses such as
Thanks for the fun and very realistic challenge!
Kind regards, 0xblackbird
FirstBlood ID: 3
Vulnerability Type: Reflective XSS