FirstBlood-#461Reflected XSS on register.php with ref parameter, leaking cookies (requires interaction)
This issue was discovered on FirstBlood v2.0.0 (issues patched)



On 2021-10-25, xnl-h4ck3r Level 4 reported:

Sorry, the title should be Open Redirect, NOT Reflective XSS, but I can't edit the title.

Summary

The parameter ref is vulnerable to Open Redirect on register.php. In version 1, the developers failed to filter javascript: when used on Return to previous page. However, in version 2 they check for the word java and script and replace them with nope. This can be bypassed.

The ref parameter can be used to display a return to previous page link. The href attribute of the link is vulnerable to a a basic Open Redirect, e.g. ref=/\/attacker.com, but can also use the javascript schema to and leak cookies. Javascript can be used so if the user clicks the return to previous page link, any cookies that may be present can be leaked to the attacker.

Steps to Reproduce

  1. Click the link http://b658805dd0fb-xnl-h4ck3r.a.firstbloodhackers.com/register.php?ref=j%09avasc%09ript:onerror=confirm;throw%20document.cookie
  2. Click the return to previous page link and observe the payload fires, and if there are any cookies present, they will be leaked:

NOTE: This cookie can be sent to attackers server

  1. Clear all cookies and go to the web app again but do not log in.
  2. Add the cookie shows in Step 3 and go to /drpanel/index.php and observe that you are now logged in as the user who clicked the link and view patient data.

Impact

If an attacker can phish a user to click the link containing the payload, they can direct them to the Login page where the return to previous page link is present. The attack requires the victim to click the link on the site which can then redirect the user to the attackers website (where they could phish for login details again), or could send any cookies the user has to the attacker (which can be used to access the admin panel and reveal PII information).

P3 Medium

Endpoint: register.php

Parameter: ref

Payload: ref=j%09avasc%09ript:onerror=confirm;throw%20document.cookie


FirstBlood ID: 32
Vulnerability Type: Reflective XSS

The parameter ?ref on register.php was poorly fixed and can be bypassed in various ways. Firstly the developer failed to use strtolower() when comparing strings, and the use of characters such as %09 will also bypass the filter.