FirstBlood-#624 — Reflected XSS in register.php page
This issue was discovered on FirstBlood v2.0.0 (issues patched)
On 2021-10-26, sumyth Level 2 reported:
Please find a brief description of the vulnerability below,
Steps to Reproduce:
- Visit the vulnerable endpoint. Add the 'ref=' parameter to the URL and forward it to server. Observe that we have a new navigation item which allows us to return to previous page.
- Add the payload to ref parameter and send the modified request to server. Observe that the payload is successfully inserted into the navigation item's href parameter.
FirstBlood ID: 32
Vulnerability Type: Reflective XSS
The parameter ?ref on register.php was poorly fixed and can be bypassed in various ways. Firstly the developer failed to use strtolower() when comparing strings, and the use of characters such as
%09 will also bypass the filter.