FirstBlood-#341 — Referer header reflection leads to Reflective XSS
This issue was discovered on FirstBlood v2.0.0 (issues patched)
On 2021-10-25, kinako reported:
Dear FirstBlood security team, I found a vulnerability on your service. I hope this report will help you.
Return to previous pageelement. This href attribute in a tag reflects Referer header's value, it causes Reflective XSS.
First of all, to set a malicious value in Referer header access to such a URL like
Note: if you have a problem in URL encoded letters, you can use proxy tool to capture the request to reproduce.
Next, go to
/login.phpand move your mouse cursor on
Return to previous page.
Then, you can see popup alert.
- I tried to make it more impactful but it's only triggered in only IE browser(https://arbazhussain.medium.com/referer-based-xss-52aeff7b09e7).
- In Chrome and Firefox, XSS payload is URL encoded so does not triggered.
- FirstBlood v2 still doesn't have a
HttpOnlyflag in Cookie so malicious attackers can steal victim's cookie if Reflective XSS is executed correctly.
FirstBlood ID: 19
Vulnerability Type: Reflective XSS
The parameter ?ref= on login.php was fixed and instead the use of
$_SERVER['HTTP_REFERER']; was used. Patrice tested in Chrome and Firefox and saw it was secure, but some users still use Internet Explorer 10 (governments for example!) and the Referer header is vulnerable to reflective XSS.