FirstBlood-#258 — Reflected XSS on /login.php using ref parameter
This issue was discovered on FirstBlood v1
On 2021-05-15, iffu Level 5 reported:
Hi zseano
Summary
I've found a Reflected XSS on /login.php on the parameter 'ref'.
How I found this bug
After playing around and having a look on all the endpoints, I observed that there's a parameter 'ref' being used to redirect the user after he logs out of his account on /logout.php.
Then, I thought, may be this parameter is also being used on /login.php while logging in. The I just appended this parameter on /login.php and then I observed that there's a reflection of the value of the input in the source code.
It's reflected inside the href attribute of an <a> tag. The payload which can be used here is javascript:alert(1). But, there's a filter present which is blocking the "javascript" string. I bypassed it using ja%0av%0aa%0ascr%0aipt: . Then, ( is converted into |. So we cannot use alert(1). Then, I made use of exception of javascript.
So, the final payload becomes j%0aava%0ascr%0aipt:onerror=prompt;throw%20document.cookie
Steps to Reproduce
- Visit /login.php and append a parameter 'ref' to the url.
- Now inject the payload in the value of the ref parameter.
- Now, click on the "Return to the previous page"
- You will be popped with an alert.
Thanks zseano and please let me know if you need any more info regarding this bug
P3 Medium
Endpoint: /login.php
Parameter: ref
Payload: j%0aava%0ascr%0aipt:onerror=prompt;throw%20document.cookie
FirstBlood ID: 3
Vulnerability Type: Reflective XSS
The parameter "ref" is vulnerable to XSS on login.php. The developer has tried to prevent a malicious actor from redirecting to a javascript URI but the attempt to stop this was poor and thus it can be bypassed.