FirstBlood-#544Reflected XSS on /register.php using ref parameter
This issue was discovered on FirstBlood v2.0.0 (issues patched)



On 2021-10-26, th33phoenix Level 3 reported:

Hey there!!!!

While testing on First Blood v2.0.0 I found a Reflected XSS in register.php page.

Description:

The /register.php page has a hidden parameter "ref" that can be used to inject malicious XSS payload into the page. Though the previous bug has been fixed at the end point, using another bypass, it is still possible to inject XSS payloads

Impact:

Using a phishing attack, an attacker can enable a victim to visit the /register page, injecting malicious payload into the victim browser, stealing his credentials, cookies, etc

Browser used:

Firefox 93.0

Steps to reproduce:

  1. While running Param Miner ( a Burp suite extension used to find hidden parameters) on /register.php page, found a hidden parameter ref

  1. Go to /register.php and inject ?ref= parameter in the url and intercept the request. See that the ref parameter value is reflected in the response:

  1. Try closing the anchor tag and inject a script tag. <, > , script are being blocked:

  1. Since the value is reflected in href, try injecting javascript:alert(1)

See that the word "javascript" is blocked.

  1. Try inputting the words "jav" and "java". See that the end point accepts "jav" but blocks "java" :

  1. Bypass this using the following payload: jav%0aa

  2. Also, observe that the word "script" is blocked but "scrip" is accepted. So use this payload to input the word "javascript"

jav%0aascrip%0at

So the final payload will be

jav%0aascrip%0at:alert(1)

  1. Go to the browser and inject the above payload in the ref parameter:

  1. Click on the "Return to previous page" and see that the payload is executed:

P3 Medium

Endpoint: /register.php

Parameter: ref

Payload: jav%0aascrip%0at:alert(1)


FirstBlood ID: 32
Vulnerability Type: Reflective XSS

The parameter ?ref on register.php was poorly fixed and can be bypassed in various ways. Firstly the developer failed to use strtolower() when comparing strings, and the use of characters such as %09 will also bypass the filter.