FirstBlood-#346RXSS at /register.php
This issue was discovered on FirstBlood v2.0.0 (issues patched)



On 2021-10-25, 0x1452 Level 3 reported:

Hey!

Summary

I found a reflected XSS at /register.php caused by the ref parameter. When the ref query parameter is present, the page will contain a Return to previous page link:

Quotes are properly encoded, so it doesn't seem possible to escape the href="..." context. However, it isn't properly secured against javascript: URLs. Strings like java and/or script get replaced with nope. To bypass this, we can simply insert tabs (%09) inbetween: ?ref=jav%09ascr%09ipt:alert(1).

To reproduce this, simply navigate to /register.php?ref=jav%09ascr%09ipt:alert(document.domain) and click on Return to previous page:

Impact

If the attacker can get a victim to click on the return link, they will be able to run any JavaScript in the victim's browser, allowing them to perform any action the victim could.

P3 Medium

Endpoint: /register.php

Parameter: ref

Payload: jav%09ascr%09ipt:alert(document.domain)


FirstBlood ID: 32
Vulnerability Type: Reflective XSS

The parameter ?ref on register.php was poorly fixed and can be bypassed in various ways. Firstly the developer failed to use strtolower() when comparing strings, and the use of characters such as %09 will also bypass the filter.