FirstBlood-#544 — Reflected XSS on /register.php using ref parameter
This issue was discovered on FirstBlood v2
On 2021-10-26, th33phoenix Level 4 reported:
Hey there!!!!
While testing on First Blood v2.0.0 I found a Reflected XSS in register.php page.
Description:
The /register.php page has a hidden parameter "ref" that can be used to inject malicious XSS payload into the page. Though the previous bug has been fixed at the end point, using another bypass, it is still possible to inject XSS payloads
Impact:
Using a phishing attack, an attacker can enable a victim to visit the /register page, injecting malicious payload into the victim browser, stealing his credentials, cookies, etc
Browser used:
Firefox 93.0
Steps to reproduce:
- While running Param Miner ( a Burp suite extension used to find hidden parameters) on /register.php page, found a hidden parameter ref
- Go to /register.php and inject ?ref= parameter in the url and intercept the request. See that the ref parameter value is reflected in the response:
- Try closing the anchor tag and inject a script tag. <, > , script are being blocked:
- Since the value is reflected in href, try injecting javascript:alert(1)
See that the word "javascript" is blocked.
- Try inputting the words "jav" and "java". See that the end point accepts "jav" but blocks "java" :
-
Bypass this using the following payload: jav%0aa
-
Also, observe that the word "script" is blocked but "scrip" is accepted. So use this payload to input the word "javascript"
jav%0aascrip%0at
So the final payload will be
jav%0aascrip%0at:alert(1)
- Go to the browser and inject the above payload in the ref parameter:
- Click on the "Return to previous page" and see that the payload is executed:
P3 Medium
Endpoint: /register.php
Parameter: ref
Payload: jav%0aascrip%0at:alert(1)
FirstBlood ID: 32
Vulnerability Type: Reflective XSS
The parameter ?ref on register.php was poorly fixed and can be bypassed in various ways. Firstly the developer failed to use strtolower() when comparing strings, and the use of characters such as
%09
will also bypass the filter.