FirstBlood-#219DOM XSS

On 2021-05-12, smhtahsin33 reported:

Hello, Found a DOM xss on /register.php

Steps To Reproduce:

  1. Visit;
  2. Click on Return to previous page
  3. The alert will pop up :D

Impact: Javascript Code Execution

P3 Medium

Endpoint: /register.php

Parameter: ?ref=

Payload: javascript:confirm();

FirstBlood ID: 16
Vulnerability Type: Reflective XSS

The parameter "ref" is vulnerable to XSS on register.php. The developers failed to filter javascript: when used on "return to previous page"

Respect Earnt: 1500000
RESPECT ($RSP) is an experimental cryptocurrency based on the Ethereum blockchain with the mission to show respect to those who deserve it. We are testing it out on our FirstBlood hackevent.