FirstBlood-#258 — Reflected XSS on /login.php using ref parameter
This issue was discovered on FirstBlood v1
On 2021-05-15, iffu reported:
I've found a Reflected XSS on /login.php on the parameter 'ref'.
How I found this bug
After playing around and having a look on all the endpoints, I observed that there's a parameter 'ref' being used to redirect the user after he logs out of his account on /logout.php.
So, the final payload becomes j%0aava%0ascr%0aipt:onerror=prompt;throw%20document.cookie
Steps to Reproduce
- Visit /login.php and append a parameter 'ref' to the url.
- Now inject the payload in the value of the ref parameter.
- Now, click on the "Return to the previous page"
- You will be popped with an alert.
Thanks zseano and please let me know if you need any more info regarding this bug
FirstBlood ID: 3
Vulnerability Type: Reflective XSS