FirstBlood-#346 — RXSS at /register.php
This issue was discovered on FirstBlood v2
On 2021-10-25, 0x1452 Level 3 reported:
Getting started
Learn about vulnerability types 
Getting started in bug bounties 
Test your knowledge
Free Web Application Challenges
Guides for your hunts 
ZSeano's Methodology
Effective Note Taking for bug bounties
Useful Resources 
Disclosed HackerOne Reports 
Our community
Endorsed Members
Hackevents 
Member Articles
Hey!
Summary
I found a reflected XSS at /register.php caused by the ref parameter. When the ref query parameter is present, the page will contain a Return to previous page link:
Quotes are properly encoded, so it doesn't seem possible to escape the href="..." context. However, it isn't properly secured against javascript: URLs. Strings like java and/or script get replaced with nope. To bypass this, we can simply insert tabs (%09) inbetween: ?ref=jav%09ascr%09ipt:alert(1).
To reproduce this, simply navigate to /register.php?ref=jav%09ascr%09ipt:alert(document.domain) and click on Return to previous page:
Impact
If the attacker can get a victim to click on the return link, they will be able to run any JavaScript in the victim's browser, allowing them to perform any action the victim could.
P3 Medium
Endpoint: /register.php
Parameter: ref
Payload: jav%09ascr%09ipt:alert(document.domain)
FirstBlood ID: 32
Vulnerability Type: Reflective XSS
The parameter ?ref on register.php was poorly fixed and can be bypassed in various ways. Firstly the developer failed to use strtolower() when comparing strings, and the use of characters such as %09 will also bypass the filter.