FirstBlood-#368 — Reflected XSS on register.php through the ref parameter [Bypass]
This issue was discovered on FirstBlood v2.0.0 (issues patched)
On 2021-10-25, holybugx reported:
Reflected XSS is possible on the
/register.phpendpoint through the
refparameter. This is a bypass to the previous report. As the fix was not properly implemented, I was able to once again achieve XSS on this endpoint which results in a one-click account takeover.
Steps To Reproduce
- Open the following URL and click on
Return to previous page, the XSS executes:
As observed, the mentioned payload bypasses the implemented mitigation.
The developer tried to filter various special characters e.g.
< " >as well as filtering the
javakeyword to prevent the
The developer did a great job in this manner, as the keywords are properly swapped with the
nopekeyword, making the following payload fail:
However, the checks are only working when the
javakeyword exists. Using the Carriage Return Line Feed characters, I was able to break the filter:
The above payload is valid and results in a bypass to the filtering used by the developer.
An attacker can craft a payload to steal the victim's cookies, and to take over their accounts:
http://attacker.comis the attacker's server. Opening the above link and clicking the
Return to previous pageresults in a redirection to the attacker's controlled server and the cookies will be sent over as well.
- This is how an attacker receives the requests and the victim's cookies:
An attacker can use the cookies to takeover various user's accounts including the
- XSS leading to one-click account takeover of various users and admins.
- Implement proper sanitization on the
- Remove/Expire the
drpscookies after logging out.
FirstBlood ID: 32
Vulnerability Type: Reflective XSS
The parameter ?ref on register.php was poorly fixed and can be bypassed in various ways. Firstly the developer failed to use strtolower() when comparing strings, and the use of characters such as
%09 will also bypass the filter.