FirstBlood-#341 — Referer header reflection leads to Reflective XSS
This issue was discovered on FirstBlood v2
On 2021-10-25, kinako Level 5 reported:
Getting started
Learn about vulnerability types 
Getting started in bug bounties 
Test your knowledge
Free Web Application Challenges
Guides for your hunts 
ZSeano's Methodology
Effective Note Taking for bug bounties
Useful Resources 
Disclosed HackerOne Reports 
Our community
Endorsed Members
Hackevents 
Member Articles
Dear FirstBlood security team, I found a vulnerability on your service.
I hope this report will help you.
Summary
The endpoint /login.php has Return to previous page element.
This href attribute in a tag reflects Referer header's value, it causes Reflective XSS.
Vulnerability Description(PoC)
First of all, to set a malicious value in Referer header access to such a URL like https://1ed9de2f9883-kinako.a.firstbloodhackers.com/doctors.php?ref='/onmouseover="alert(document.cookie)"/a='
Note: if you have a problem in URL encoded letters, you can use proxy tool to capture the request to reproduce.
Next, go to /login.php and move your mouse cursor on Return to previous page.
Then, you can see popup alert.
Note
- I tried to make it more impactful but it's only triggered in only IE browser(https://arbazhussain.medium.com/referer-based-xss-52aeff7b09e7).
- In Chrome and Firefox, XSS payload is URL encoded so does not triggered.
Impact
- FirstBlood v2 still doesn't have a
HttpOnly flag in Cookie so malicious attackers can steal victim's cookie if Reflective XSS is executed correctly.
- Phishing
Regards,
kinako
P3 Medium
Endpoint: /login.php
Parameter: Referer header
Payload: Referer: https://1ed9de2f9883-kinako.a.firstbloodhackers.com/doctors.php?ref='/onmouseover="alert(1)"/a='
FirstBlood ID: 19
Vulnerability Type: Reflective XSS
The parameter ?ref= on login.php was fixed and instead the use of $_SERVER['HTTP_REFERER']; was used. Patrice tested in Chrome and Firefox and saw it was secure, but some users still use Internet Explorer 10 (governments for example!) and the Referer header is vulnerable to reflective XSS.
Report Feedback
Creator & Administrator
Nice find, thanks for providing a working PoC and mentioning it only works on IE. Some users reported that the referrer was vulnerable but the payload provided wouldn't work, and no mention of browser. So great work with clear repo steps. Perfect!