FirstBlood-#264 — Reflected XSS on login Page via ref paramater
This issue was discovered on FirstBlood v1
On 2021-05-15, codersanjay Level 3 reported:
How I found this Vulnerability
A doctor can login into his account and logout as well.
![](https://res.cloudinary.com/bugbountynotes/image/upload/v1621086627/zvdkyerm7tji5r7uzfv8.png)
While logging out and intercepting the request, I saw a parameter called ref in the url.
![](https://res.cloudinary.com/bugbountynotes/image/upload/v1621086766/ig34enbgfaj0kqzebkzw.png)
Then I thought, what if I used the same parameter on login page as well.
Here comes the interesting part.
I quickly browsed to login page and added ref parameter with a value sanjay and the following is what amazed me.
![](https://res.cloudinary.com/bugbountynotes/image/upload/v1621086950/sv4d5dw2ilhqteo9rntj.png)
I saw a hyperlink getting added on the page, quickly checked sourcecode and this is what I saw.
![](https://res.cloudinary.com/bugbountynotes/image/upload/v1621087065/zxzzcmhcgn3tizax1sww.png)
So, my ref value reflected in href attribute.
Next steps: How I built my payload
Attempt 1 : Come out of tags
I tried coming out of that tag so I can build my own tag with a payload. No luck 😔.
![](https://res.cloudinary.com/bugbountynotes/image/upload/v1621087265/wilhkiczqpvy8eyrscnr.png)
Attemp 2: Inject javascript:confirm'1' as the value of href
I injected payload letter by letter to check if there is any filter.
Inject - j
![](https://res.cloudinary.com/bugbountynotes/image/upload/v1621087476/kg8uua2iccgplw3envaz.png)
Similarly I appendeda and v
![](https://res.cloudinary.com/bugbountynotes/image/upload/v1621087569/no1lfanx0xw7u2dxatnt.png)
Next I appended a to jav and boom! java got filtered to empty string.
![](https://res.cloudinary.com/bugbountynotes/image/upload/v1621087660/x4u8h4rbzerfqynt6i7x.png)
I learnt from its behavior that all java strings are being converted to empty strings.That too its recursive.
By recursive I mean, even if you give jajavava , the following happens.
jajavava -> ja{empty string}va -> java -> empty string.
So, I had to think of some other way, I cannot put java together.
Then I got this idea, what if I use tab parameter %09 between jav and a.
I tried.
![](https://res.cloudinary.com/bugbountynotes/image/upload/v1621087961/nrzzkd0ed2ahx65ocbnc.png)
and it worked.
Note: Tab parameters like %09 gets resolved without tab while the browser parses HTML i.e jav{tab}a gets resolved to java while page loads.So, we successfully injected java.
Now I appended my remaining payload.Aithout any issues it got reflected.
![](https://res.cloudinary.com/bugbountynotes/image/upload/v1621088106/feyy0sclvfzmvdpanq86.png)
Now, lets go back to login page and test our Payload.
![](https://res.cloudinary.com/bugbountynotes/image/upload/v1621088174/bjbzry5wcstiecxi4vwl.png)
Boom XSS!
Hope you enjoyed my writeup.
Impact
Run malicious javascript and steal user creds.
P3 Medium
Endpoint: /login.php
Parameter: ref
Payload: jav%09ascript:confirm`1`
FirstBlood ID: 3
Vulnerability Type: Reflective XSS
The parameter "ref" is vulnerable to XSS on login.php. The developer has tried to prevent a malicious actor from redirecting to a javascript URI but the attempt to stop this was poor and thus it can be bypassed.