FirstBlood-#155 — Reflected xss on register.php
This issue was discovered on FirstBlood v1.0.0
On 2021-05-10, 0xblackbird reported:
Hello! I found another reflected xss on
/register.php, this one doesn't need any user interaction but it doesn't work without user interaction on Firefox, only on mayority of the browsers such as Chrome, Edge, and Safari.
Steps to reproduce
- You'll see that the confirm box popped up.
- Now, let's escalate this. I wanted to steal the cookies as always, this time I was quite limited and couldn't use single our double quotes. That's why I went for
- When we now visit the following, we get to see our cookie in the url bar. This can get picked up in the logs of the attacker and by that successfully takeover the victims account without 1 single click. -
Thanks a lot for your awesome methodology :D!! This helped in finding this bug, Parameters get reused! That's how I came accross this vulnerability. From there I built my way up and saw that
"getting encoded but I was able to escape the href attribute. I went to https://portswigger.net/web-security/cross-site-scripting/cheat-sheet and looked for the perfect payload. I saw that onfocus was not removed nor somehow encoded. I decided to add autofocus to autofocus the tab, to get a reflected xss without user interaction! And that of cours worked!
Have a great day!
Kind regards, 0xblackbird
FirstBlood ID: 4
Vulnerability Type: Reflective XSS
The parameter "ref" is vulnerable to XSS on register.php. The developer made use of htmlentities but this is inadequate as the HREF is wrapped in single quotes.