FirstBlood-#368 — Reflected XSS on register.php through the ref parameter [Bypass]
This issue was discovered on FirstBlood v2
On 2021-10-25, holybugx Level 5 reported:
Description
Hello Sean,
Reflected XSS is possible on the /register.php
endpoint through the ref
parameter. This is a bypass to the previous report. As the fix was not properly implemented, I was able to once again achieve XSS on this endpoint which results in a one-click account takeover.
Steps To Reproduce
- Open the following URL and click on
Return to previous page
, the XSS executes:
https://firstbloodhackers.com/register.php?ref=j%0D%0Aav%0D%0Aas%0D%0Acrip%0D%0At%0D%0A:confirm`1`
As observed, the mentioned payload bypasses the implemented mitigation.
Filter Bypassing
The developer tried to filter various special characters e.g. < " >
as well as filtering the java
keyword to prevent the javascript
scheme XSS payloads.
The developer did a great job in this manner, as the keywords are properly swapped with the nope
keyword, making the following payload fail:
However, the checks are only working when the java
keyword exists. Using the Carriage Return Line Feed characters, I was able to break the filter:
j%0D%0Aav%0D%0Aas%0D%0Acrip%0D%0At%0D%0A:confirm`1`
The above payload is valid and results in a bypass to the filtering used by the developer.
Exploitation
An attacker can craft a payload to steal the victim's cookies, and to take over their accounts:
Where http://attacker.com
is the attacker's server. Opening the above link and clicking the Return to previous page
results in a redirection to the attacker's controlled server and the cookies will be sent over as well.
- This is how an attacker receives the requests and the victim's cookies:
An attacker can use the cookies to takeover various user's accounts including the drAdmin
account.
Impact
- XSS leading to one-click account takeover of various users and admins.
Remediation
- Implement proper sanitization on the
ref
parameter.
- Set
httponly
cookies so that javascript can not access the cookies.
- Remove/Expire the
drps
cookies after logging out.
Kind Regards,
HolyBugx
P3 Medium
Endpoint: /register.php
Parameter: ref
Payload: j%0D%0Aav%0D%0Aas%0D%0Acrip%0D%0At%0D%0A:confirm`1`
FirstBlood ID: 32
Vulnerability Type: Reflective XSS
The parameter ?ref on register.php was poorly fixed and can be bypassed in various ways. Firstly the developer failed to use strtolower() when comparing strings, and the use of characters such as
%09
will also bypass the filter.