FirstBlood-#461 — Reflected XSS on register.php with ref parameter, leaking cookies (requires interaction)
This issue was discovered on FirstBlood v2.0.0 (issues patched)
On 2021-10-25, xnl-h4ck3r reported:
Sorry, the title should be Open Redirect, NOT Reflective XSS, but I can't edit the title.
refis vulnerable to Open Redirect on
register.php. In version 1, the developers failed to filter
scriptand replace them with
nope. This can be bypassed.
refparameter can be used to display a return to previous page link. The href attribute of the link is vulnerable to a a basic Open Redirect, e.g.
ref=/\/attacker.com, but can also use the
Steps to Reproduce
- Click the link
- Click the return to previous page link and observe the payload fires, and if there are any cookies present, they will be leaked:
NOTE: This cookie can be sent to attackers server
- Clear all cookies and go to the web app again but do not log in.
- Add the cookie shows in Step 3 and go to
/drpanel/index.phpand observe that you are now logged in as the user who clicked the link and view patient data.
If an attacker can phish a user to click the link containing the payload, they can direct them to the Login page where the return to previous page link is present. The attack requires the victim to click the link on the site which can then redirect the user to the attackers website (where they could phish for login details again), or could send any cookies the user has to the attacker (which can be used to access the admin panel and reveal PII information).
FirstBlood ID: 32
Vulnerability Type: Reflective XSS
The parameter ?ref on register.php was poorly fixed and can be bypassed in various ways. Firstly the developer failed to use strtolower() when comparing strings, and the use of characters such as
%09 will also bypass the filter.