FirstBlood-#703 — Reflective XSS on register page
This issue was discovered on FirstBlood v2
On 2021-10-27, axe Level 4 reported:
After the test is finished and reset, continue to test XSS in ref parameter
<svg/onload=alert(0)>- > F12 - > angle brackets are found to be HTML encoded
Insert XSS payload after URL encoding:
<script>alert(0)</script>- > it is found that
After testing, it is found that the case is not strictly filtered. Finally, XSS payload is used:
XSS -> JSOP Upgrade Utilization
Open Redirect -> XSS -> Stealing Token
Open Redirect(Resolved #537)
I can't solve it for now. I can't get the drps cookie value because I'm not logged in to the admin credentials.
Successfully obtained the administrator's cookie!!!
Suggestions for fixing
Study reference materials
FirstBlood ID: 32
Vulnerability Type: Reflective XSS
The parameter ?ref on register.php was poorly fixed and can be bypassed in various ways. Firstly the developer failed to use strtolower() when comparing strings, and the use of characters such as
%09 will also bypass the filter.