FirstBlood-#154 — Reflective XSS on /login.php endpoint through the vulnerable `ref` parameter
This issue was discovered on FirstBlood v1
On 2021-05-10, holybugx Level 5 reported:
I found out that there is a reflected XSS on the
/login.phpendpoint through the vulnerable
refparameter which leads to account takeover.
Steps to reproduce
- Open the following link:
- Click on the
Return to previous pageand the XSS pops-up:
I found out that certain keywords are being blocked and removed, I realized
java%09scriptbut then I realized using this payload
javakeyword is removed, also realized
(are being removed.
I used the following tricks to bypass the filtering:
- You can use multiple encoding/unicoding tricks to bypass the
ja%09vascript ja%0avascript ja%0dvascript
You can use
promptif keywords such as
When parentheses are filtered you can either use
` `as I did, or in some cases you can use encoding tricks such as HTML encode or URL encoding/Double URL encoding.
confirm(1) --> confirm`1`
An attacker can craft a payload to steal cookies, an example of such payload is:
http://attacker.comis the attacker's domain, opening the above link and clicking on the
Return to previous pageresults in a redirection to the attacker's domain and the cookies will be sent to the attacker's server.
An attacker can set this cookie on his browser to access
This happens because of two cookies misconfiguration:
Cookies are not set as
Cookies are not deleted/expired as they meant to be after logging out, which makes it possible for an attacker to re-use the cookies whenever he wants to.
Set-Cookie: drps=deleted; expires=Thu, 01-Jan-1970 00:00:01 GMT; Max-Age=0; path=/
refparameter should not be controlled by users.
- Preferably set
- Account takeover
FirstBlood ID: 3
Vulnerability Type: Reflective XSS