FirstBlood-#368 — Reflected XSS on register.php through the ref parameter [Bypass]
This issue was discovered on FirstBlood v2
On 2021-10-25, holybugx Level 5 reported:
Getting started
Learn about vulnerability types 
Getting started in bug bounties 
Test your knowledge
Free Web Application Challenges
Guides for your hunts 
ZSeano's Methodology
Effective Note Taking for bug bounties
Useful Resources 
Disclosed HackerOne Reports 
Our community
Endorsed Members
Hackevents 
Member Articles
Description
Hello Sean,
Reflected XSS is possible on the /register.php endpoint through the ref parameter. This is a bypass to the previous report. As the fix was not properly implemented, I was able to once again achieve XSS on this endpoint which results in a one-click account takeover.
Steps To Reproduce
- Open the following URL and click on
Return to previous page, the XSS executes:
https://firstbloodhackers.com/register.php?ref=j%0D%0Aav%0D%0Aas%0D%0Acrip%0D%0At%0D%0A:confirm`1`
As observed, the mentioned payload bypasses the implemented mitigation.
Filter Bypassing
The developer tried to filter various special characters e.g. < " > as well as filtering the java keyword to prevent the javascript scheme XSS payloads.
The developer did a great job in this manner, as the keywords are properly swapped with the nope keyword, making the following payload fail:
However, the checks are only working when the java keyword exists. Using the Carriage Return Line Feed characters, I was able to break the filter:
j%0D%0Aav%0D%0Aas%0D%0Acrip%0D%0At%0D%0A:confirm`1`
The above payload is valid and results in a bypass to the filtering used by the developer.
Exploitation
An attacker can craft a payload to steal the victim's cookies, and to take over their accounts:
Where http://attacker.com is the attacker's server. Opening the above link and clicking the Return to previous page results in a redirection to the attacker's controlled server and the cookies will be sent over as well.
- This is how an attacker receives the requests and the victim's cookies:
An attacker can use the cookies to takeover various user's accounts including the drAdmin account.
Impact
- XSS leading to one-click account takeover of various users and admins.
Remediation
- Implement proper sanitization on the
ref parameter.
- Set
httponly cookies so that javascript can not access the cookies.
- Remove/Expire the
drps cookies after logging out.
Kind Regards,
HolyBugx
P3 Medium
Endpoint: /register.php
Parameter: ref
Payload: j%0D%0Aav%0D%0Aas%0D%0Acrip%0D%0At%0D%0A:confirm`1`
FirstBlood ID: 32
Vulnerability Type: Reflective XSS
The parameter ?ref on register.php was poorly fixed and can be bypassed in various ways. Firstly the developer failed to use strtolower() when comparing strings, and the use of characters such as %09 will also bypass the filter.