FirstBlood-#624 — Reflected XSS in register.php page
This issue was discovered on FirstBlood v2
On 2021-10-26, sumyth Level 2 reported:
Hi,
Please find a brief description of the vulnerability below,
Summary
On the register.php page on firstblood.com, there exists a reflected XSS vulnerability which can be used to execute arbitrary JavaScript payloads.
Steps to Reproduce:
- Visit the vulnerable endpoint. Add the 'ref=' parameter to the URL and forward it to server. Observe that we have a new navigation item which allows us to return to previous page.
- Add the payload to ref parameter and send the modified request to server. Observe that the payload is successfully inserted into the navigation item's href parameter.
- Click on the navigation item 'Return to previous page'. Observe that the JavaScript payload is executed successfully.
Impact
Reflected XSS present in the GET parameter of URL can allow an attacker to run malicious JavaScript on victim's browser which can lead to unintended re-directs, phishing attacks etc.
P3 Medium
Endpoint: register.php
Parameter: ref=
Payload: jaVascripT:confirm();
FirstBlood ID: 32
Vulnerability Type: Reflective XSS
The parameter ?ref on register.php was poorly fixed and can be bypassed in various ways. Firstly the developer failed to use strtolower() when comparing strings, and the use of characters such as
%09
will also bypass the filter.