FirstBlood-#258Reflected XSS on /login.php using ref parameter

On 2021-05-15, iffu reported:

Hi zseano


I've found a Reflected XSS on /login.php on the parameter 'ref'.

How I found this bug

After playing around and having a look on all the endpoints, I observed that there's a parameter 'ref' being used to redirect the user after he logs out of his account on /logout.php.

Then, I thought, may be this parameter is also being used on /login.php while logging in. The I just appended this parameter on /login.php and then I observed that there's a reflection of the value of the input in the source code. It's reflected inside the href attribute of an <a> tag. The payload which can be used here is javascript:alert(1). But, there's a filter present which is blocking the "javascript" string. I bypassed it using ja%0av%0aa%0ascr%0aipt: . Then, ( is converted into |. So we cannot use alert(1). Then, I made use of exception of javascript.

So, the final payload becomes j%0aava%0ascr%0aipt:onerror=prompt;throw%20document.cookie

Steps to Reproduce

  • Visit /login.php and append a parameter 'ref' to the url.
  • Now inject the payload in the value of the ref parameter.
  • Now, click on the "Return to the previous page"
  • You will be popped with an alert.

Thanks zseano and please let me know if you need any more info regarding this bug

P3 Medium

Endpoint: /login.php

Parameter: ref

Payload: j%0aava%0ascr%0aipt:onerror=prompt;throw%20document.cookie

FirstBlood ID: 3
Vulnerability Type: Reflective XSS

The parameter "ref" is vulnerable to XSS on login.php. The developer has tried to prevent a malicious actor from redirecting to a javascript URI but the attempt to stop this was poor and thus it can be bypassed.

Respect Earnt: 1500000
RESPECT ($RSP) is an experimental cryptocurrency based on the Ethereum blockchain with the mission to show respect to those who deserve it. We are testing it out on our FirstBlood hackevent.