FirstBlood-#212Reflective XSS on Login page (requiring interaction), leading to leak of PII data
This issue was discovered on FirstBlood v1

On 2021-05-12, xnl-h4ck3r Level 4 reported:


An XSS vulnerability exists on /login.php that allows an attacker to craft a URL which if clicked will take the user to the login page. The ref parameter can be used to display a Return to previous page link. The href attribute of the link is vulnerable to XSS and can also be used as an Open Redirect, e.g. ref=/\/ An XSS payload can be used so if the user clicks the Return to previous page link, any cookies that may be present can be leaked to the attacker.

Steps to Reproduce

  1. Click the link{PORT}/login.php?ref=j%09avascript:onerror=confirm;throw%20document.cookie
  2. Observe the payload fires and if there are anuy cookies present, they will be leaked:

NOTE: This cookie can be sent to attackers server

  1. Clear all cookies and go to the web app again but do not log in.
  2. Add the cookie shows in Step 3 and go to /drpanel/index.php and observe that you are now logged in as admin and view patient data.


If an attacker can phish a user to click the link containing the payload, they can direct them to the Login page where the Return to previous page link is present. The attack requires the victim to click the link on the site whcih can then redirect the user to the attackers website (where they could phish for login details again), or could send any cookies the user has to the attacker (which can be used to access the admin panel and reveal PII information).

P3 Medium

Endpoint: /login.php

Parameter: ref

Payload: j%09avascript:onerror=confirm;throw%20document.cookie

FirstBlood ID: 3
Vulnerability Type: Reflective XSS

The parameter "ref" is vulnerable to XSS on login.php. The developer has tried to prevent a malicious actor from redirecting to a javascript URI but the attempt to stop this was poor and thus it can be bypassed.